US-CERT releases public vulnerability note on WPA2 wireless security handshake

This post follows up on earlier post today: US CERT advisory on WPA2 wireless security flaw, sent to orgns (not public), https://ravisiyer.wordpress.com/2017/10/16/us-cert-advisory-on-wpa2-wireless-security-flaw/.

US-CERT released this PUBLIC note today: Vulnerability Note VU#228519; Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, released on 16th Oct. 2017, http://www.kb.cert.org/vuls/id/228519.

The impact section states, “An attacker within the wireless communications range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used. Impacts may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames.”

The solution section states that installing updates (to WiFi router devices) is the solution. It provides a non-exhaustive vendor list (of USA vendors of such WiFi devices, I guess) with a status column showing whether they were affected by this vulnerability or not, and date columns showing when they were notified of this problem (e.g. Cisco 28th Aug 2017) and when they updated (their firmware to fix the vulnerability) (e.g. Cisco 10th Oct 2017).

In my JioFi 3 4G router case, the vendor is India specific, and is not listed in this CERT advisory.

On browsing the net I could not find any suitable results for JioFi 3 router firmware update for this problem.

I sent the following support message via email to Jio a little while back today:

Subject: Firmware update for JioFi 3 router to handle WPA2 vulnerability
Details: I would like to know when and where JioFi 3 router will provide firmware update to handle WPA2 vulnerability as documented in this US-CERT vulnerability note: Vulnerability Note VU#228519; Wi-Fi Protected Access II (WPA2) handshake traffic can be manipulated to induce nonce and session key reuse, released on 16th Oct. 2017, http://www.kb.cert.org/vuls/id/228519.
— end main support message sent to Jio —

I don’t think my TP-Link WN725N Wireless USB adapter would need a driver/firmware update for this issue. Its driver download page does not show any new updates in 2017. But I plan to check over the next few days whether TP-Link will put out some driver update for this adapter.

This entry was posted in Misc. Bookmark the permalink.