CVE-2017-13086 - Use of Insufficiently Random Values

Severity

54%

Complexity

55%

Confidentiality

106%

Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tunneled Direct-Link Setup (TDLS) Peer Key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

CVSS 3.0 Base Score 6.8. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

CVSS 2.0 Base Score 5.4. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: medium. CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P).

Demo Examples

Use of Insufficiently Random Values

CWE-330

This code generates a unique random identifier for a user's session.


               
}
return rand();

Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.

This example also exhibits a Small Seed Space (CWE-339).

Use of Insufficiently Random Values

CWE-330

The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.


               
}
return(baseUrl + ranGen.nextInt(400000000) + ".html");

This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG.

Overview

First reported 7 years ago

2017-10-17 13:29:00

Last updated 5 years ago

2019-10-03 00:03:00

Affected Software

Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)

14.04

Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)

16.04

Canonical Ubuntu Linux 17.04

17.04

Debian Linux 8.0 (Jessie)

8.0

Debian Linux 9.0

9.0

FreeBSD

openSUSE Leap 42.2

42.2

openSUSE Leap 42.3

42.3

w1.fi Hostapd 0.2.4

0.2.4

w1.fi Hostapd 0.3.7

0.3.7

w1.fi Hostapd 0.4.7

0.4.7

w1.fi Hostapd 0.7.3

0.7.3

w1.fi Hostapd 1.1

1.1

w1.fi Hostapd 2.0

2.0

w1.fi Hostapd 2.1

2.1

w1.fi Hostapd 2.2

2.2

w1.fi hostapd 2.3

2.3

w1.fi hostapd 2.4

2.4

w1.fi Hostapd 2.5

2.5

w1.fi hostapd 2.6

2.6

w1.fi WPA Supplicant 0.2.4

0.2.4

w1.fi WPA Supplicant 0.2.5

0.2.5

w1.fi WPA Supplicant 0.2.6

0.2.6

w1.fi WPA Supplicant 0.2.7

0.2.7

w1.fi WPA Supplicant 0.2.8

0.2.8

w1.fi WPA Supplicant 0.3.7

0.3.7

w1.fi WPA Supplicant 0.3.8

0.3.8

w1.fi WPA Supplicant 0.3.9

0.3.9

w1.fi WPA Supplicant 0.3.10

0.3.10

w1.fi WPA Supplicant 0.3.11

0.3.11

w1.fi WPA Supplicant 0.4.7

0.4.7

w1.fi WPA Supplicant 0.4.8

0.4.8

w1.fi WPA Supplicant 0.4.9

0.4.9

w1.fi WPA Supplicant 0.4.10

0.4.10

w1.fi WPA Supplicant 0.4.11

0.4.11

w1.fi WPA Supplicant 0.5.7

0.5.7

w1.fi WPA Supplicant 0.5.8

0.5.8

w1.fi WPA Supplicant 0.5.9

0.5.9

w1.fi WPA Supplicant 0.5.10

0.5.10

w1.fi WPA Supplicant 0.5.11

0.5.11

w1.fi WPA Supplicant 0.6.8

0.6.8

w1.fi WPA Supplicant 0.6.9

0.6.9

w1.fi WPA Supplicant 0.6.10

0.6.10

w1.fi WPA Supplicant 0.7.3

0.7.3

w1.fi WPA Supplicant 1.0

1.0

w1.fi WPA Supplicant 1.1

1.1

w1.fi WPA Supplicant 2.0

2.0

w1.fi WPA Supplicant 2.1

2.1

w1.fi WPA Supplicant 2.2

2.2

w1.fi WPA Supplicant 2.3

2.3

w1.fi WPA Supplicant 2.4

2.4

w1.fi WPA Supplicant 2.5

2.5

w1.fi WPA Supplicant 2.6

2.6

SUSE Linux Enterprise Desktop 12 Service Pack 2

12

SUSE Linux Enterprise Desktop 12 Service Pack 3

12

SUSE Linux Enterprise Server 11 Service Pack 4

11

References

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007.txt

Third Party Advisory

DSA-3999

Third Party Advisory

VU#228519

Third Party Advisory, US Government Resource

101274

Third Party Advisory, VDB Entry

1039573

Third Party Advisory, VDB Entry

1039576

Third Party Advisory, VDB Entry

1039577

Third Party Advisory, VDB Entry

1039578

Third Party Advisory, VDB Entry

1039581

Third Party Advisory, VDB Entry

USN-3455-1

Third Party Advisory

RHSA-2017:2907

Third Party Advisory

https://access.redhat.com/security/vulnerabilities/kracks

Third Party Advisory

https://cert.vde.com/en-us/advisories/vde-2017-005

https://cert-portal.siemens.com/productcert/pdf/ssa-901333.pdf

FreeBSD-SA-17:07

Third Party Advisory

GLSA-201711-03

https://source.android.com/security/bulletin/2017-11-01

https://support.lenovo.com/us/en/product_security/LEN-17420

Third Party Advisory

20171016 Multiple Vulnerabilities in Wi-Fi Protected Access and Wi-Fi Protected Access II

Third Party Advisory

https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

Third Party Advisory

https://www.krackattacks.com/

Technical Description, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.