CVE-2017-13079 - Use of Insufficiently Random Values

Severity

28%

Complexity

55%

Confidentiality

48%

Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.

Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.

CVSS 3.0 Base Score 5.3. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVSS 2.0 Base Score 2.9. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: medium. CVSS Vector: (AV:A/AC:M/Au:N/C:N/I:P/A:N).

Demo Examples

Use of Insufficiently Random Values

CWE-330

This code generates a unique random identifier for a user's session.


               
}
return rand();

Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.

This example also exhibits a Small Seed Space (CWE-339).

Use of Insufficiently Random Values

CWE-330

The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.


               
}
return(baseUrl + ranGen.nextInt(400000000) + ".html");

This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG.

Overview

First reported 7 years ago

2017-10-17 13:29:00

Last updated 5 years ago

2019-10-03 00:03:00

Affected Software

Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)

14.04

Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)

16.04

Canonical Ubuntu Linux 17.04

17.04

Debian Linux 8.0 (Jessie)

8.0

Debian Linux 9.0

9.0

FreeBSD

openSUSE Leap 42.2

42.2

openSUSE Leap 42.3

42.3

w1.fi Hostapd 0.2.4

0.2.4

w1.fi Hostapd 0.3.7

0.3.7

w1.fi Hostapd 0.4.7

0.4.7

w1.fi Hostapd 0.7.3

0.7.3

w1.fi Hostapd 1.1

1.1

w1.fi Hostapd 2.0

2.0

w1.fi Hostapd 2.1

2.1

w1.fi Hostapd 2.2

2.2

w1.fi hostapd 2.3

2.3

w1.fi hostapd 2.4

2.4

w1.fi Hostapd 2.5

2.5

w1.fi hostapd 2.6

2.6

w1.fi WPA Supplicant 0.2.4

0.2.4

w1.fi WPA Supplicant 0.2.5

0.2.5

w1.fi WPA Supplicant 0.2.6

0.2.6

w1.fi WPA Supplicant 0.2.7

0.2.7

w1.fi WPA Supplicant 0.2.8

0.2.8

w1.fi WPA Supplicant 0.3.7

0.3.7

w1.fi WPA Supplicant 0.3.8

0.3.8

w1.fi WPA Supplicant 0.3.9

0.3.9

w1.fi WPA Supplicant 0.3.10

0.3.10

w1.fi WPA Supplicant 0.3.11

0.3.11

w1.fi WPA Supplicant 0.4.7

0.4.7

w1.fi WPA Supplicant 0.4.8

0.4.8

w1.fi WPA Supplicant 0.4.9

0.4.9

w1.fi WPA Supplicant 0.4.10

0.4.10

w1.fi WPA Supplicant 0.4.11

0.4.11

w1.fi WPA Supplicant 0.5.7

0.5.7

w1.fi WPA Supplicant 0.5.8

0.5.8

w1.fi WPA Supplicant 0.5.9

0.5.9

w1.fi WPA Supplicant 0.5.10

0.5.10

w1.fi WPA Supplicant 0.5.11

0.5.11

w1.fi WPA Supplicant 0.6.8

0.6.8

w1.fi WPA Supplicant 0.6.9

0.6.9

w1.fi WPA Supplicant 0.6.10

0.6.10

w1.fi WPA Supplicant 0.7.3

0.7.3

w1.fi WPA Supplicant 1.0

1.0

w1.fi WPA Supplicant 1.1

1.1

w1.fi WPA Supplicant 2.0

2.0

w1.fi WPA Supplicant 2.1

2.1

w1.fi WPA Supplicant 2.2

2.2

w1.fi WPA Supplicant 2.3

2.3

w1.fi WPA Supplicant 2.4

2.4

w1.fi WPA Supplicant 2.5

2.5

w1.fi WPA Supplicant 2.6

2.6

SUSE Linux Enterprise Desktop 12 Service Pack 2

12

SUSE Linux Enterprise Desktop 12 Service Pack 3

12

SUSE Linux Enterprise Server 11 Service Pack 4

11

References

SUSE-SU-2017:2745

Third Party Advisory

SUSE-SU-2017:2752

Third Party Advisory

openSUSE-SU-2017:2755

Third Party Advisory

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt

Third Party Advisory

DSA-3999

Third Party Advisory

VU#228519

Third Party Advisory, US Government Resource

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

101274

Third Party Advisory, VDB Entry

1039573

Third Party Advisory, VDB Entry

1039576

Third Party Advisory, VDB Entry

1039577

Third Party Advisory, VDB Entry

1039578

Third Party Advisory, VDB Entry

1039581

Third Party Advisory, VDB Entry

1039585

Third Party Advisory, VDB Entry

USN-3455-1

Third Party Advisory

https://access.redhat.com/security/vulnerabilities/kracks

Third Party Advisory

https://cert.vde.com/en-us/advisories/vde-2017-005

https://cert-portal.siemens.com/productcert/pdf/ssa-901333.pdf

[debian-lts-announce] 20181113 [SECURITY] [DLA 1573-1] firmware-nonfree security update

FreeBSD-SA-17:07

Third Party Advisory

GLSA-201711-03

https://source.android.com/security/bulletin/2017-11-01

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03792en_us

https://support.lenovo.com/us/en/product_security/LEN-17420

Third Party Advisory

20171016 Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II

Third Party Advisory

https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

Third Party Advisory

https://www.krackattacks.com/

Technical Description, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.