On October 16, 2017, a research paper with the title “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” was made publicly available. This paper discusses seven vulnerabilities affecting session key negotiation in both the Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access II (WPA2) protocols. These vulnerabilities may allow the reinstallation of a pairwise transient key, a group key, or an integrity key on either a wireless client or a wireless access point. Additional research also led to the discovery of three additional vulnerabilities (not discussed in the original paper) affecting wireless supplicant supporting either the 802.11z (Extensions to Direct-Link Setup) standard or the 802.11v (Wireless Network Management) standard. The three additional vulnerabilities could also allow the reinstallation of a pairwise key, group key, or integrity group key. Among these ten vulnerabilities, only one (CVE-2017-13082) may affect components of the wireless infrastructure (for example, Access Points), while the other nine vulnerabilities may affect only client devices. Multiple Cisco wireless products are affected by these vulnerabilities. Cisco will release software updates that address these vulnerabilities. There are workarounds that addresses the vulnerabilities in CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, and CVE-2017-13082. There are no workarounds for CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa
Product | Cisco Bug ID | Fixed Release Availability |
---|---|---|
Endpoint Clients and Client Software | ||
Cisco AnyConnect Secure Mobility Client - Network Access Manager | CSCvg35287 | 4.5.02036 and later |
Routing and Switching - Enterprise and Service Provider | ||
Cisco 1000 Series Connected Grid Routers | CSCvg67174 | No fix information available at this time. |
Routing and Switching - Small Business | ||
Cisco Small Business CVR100W Wireless-N VPN Router | CSCvg03682 | No fix will be provided for this product. |
Cisco Small Business RV315W Wireless-N VPN Router | CSCvf96844 | No fix will be provided for this product. |
Voice and Unified Communications Devices | ||
Cisco DX Series IP Phones (DX650, DX70 and DX80) running Android-based firmware. | CSCvg36461 | No fix information available at this time. |
Cisco DX Series IP Phones (DX70 and DX80) when running Collaboration Endpoint (CE) software | CSCvf71761 | 8.3.4 and later 9.2.1 and later |
Cisco IP Phone 8861-3PCC | CSCvg38265 | 11.0.1MSR1 for CP-8861-3PCC |
Cisco IP Phone 8861 | CSCvf71751 | 12.0.1SR1 and later |
Cisco IP Phone 8865 | CSCvf71751 | 12.0.1SR1 and later |
Cisco Spark Board | CSCvg37142 | No fix information available at this time. |
Cisco Spark Room Series | CSCvf71761 | 8.3.4 and later 9.2.1 and later |
Cisco Wireless IP Phone 8821 | CSCvf71749 | 11.0(3)SR5 and later |
Wireless | ||
Cisco 1100 Series Integrated Services Routers | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco 812 Series Integrated Services Routers | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco 819 Series Integrated Services Routers | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco 829 Industrial Integrated Services Routers | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco 860 Series Integrated Services Routers | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco 880 Series Integrated Services Routers | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco 890 Series Integrated Services Routers | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco AP541N Wireless Access Point | CSCvf96821 | No fix will be provided for this product. |
Cisco ASA 5506W-X w/ FirePOWER Services | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1040 Series Access Points | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1140 Series Access Points | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1250 Series Access Points | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1260 Series Access Points | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1520 Series | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1530 Series | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1540 Series Access Points | CSCvg10793 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1550 Series | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1560 Series Access Points | CSCvg10793 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1570 Series | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1600 Series | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1700 Series | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1810 Series OfficeExtend Access Points | CSCvg10793 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1810w Series Access Points | CSCvg10793 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1815 Series Access Points | CSCvg10793 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1830 Series Access Points | CSCvg10793 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 1850 Series Access Points | CSCvg10793 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 2600 Series | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 2700 Series | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 2800 Series Access Points | CSCvg10793 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 3500 Series | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 3600 Series | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 3700 Series | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 3800 Series Access Points | CSCvg10793 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet 700 Series | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet AP801 Access Point | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet AP802 Access Point | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet AP803 Access Point | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Aironet Access Points | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Industrial Wireless 3700 Series | CSCvg42682 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco Meraki MR11 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR12 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR14 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR16 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR18 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR24 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR26 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR30H | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24.x: affected - no fixes will be made available MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR32 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR33 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24.x: affected - no fixes will be made available MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR34 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR42 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR52 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR53 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR58 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR62 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR66 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR72 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR74 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24.x: affected - no fixes will be made available MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Meraki MR84 | N/A | MR20.x and previous releases: not affected MR21.x: affected - no fixes will be made available MR22.x: affected - no fixes will be made available MR23.x: affected - no fixes will be made available MR24 up to and including MR24.10: affected - first fixed in MR24.11 MR25 up to and including MR25.6: affected - first fixed in MR25.7 |
Cisco Mobility Express | CSCvg10793 | See the Fixed Software section of this advisory for fix availability depending on deployment scenario. |
Cisco WAP121 Wireless-N Access Point with Single Point Setup | CSCvf96789 | v1.0.6.6 |
Cisco WAP125 Wireless-AC Dual Band Desktop Access Point with PoE | CSCvf96792 | v1.0.0.7 |
Cisco WAP131 Wireless-N Dual Radio Access Point with PoE | CSCvf96801 | v1.0.2.15 |
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE | CSCvf96803 | v1.1.0.9 |
Cisco WAP321 Wireless-N Access Point with Single Point Setup | CSCvf96789 | v1.0.6.6 |
Cisco WAP351 Wireless-N Dual Radio Access Point with 5-Port Switch | CSCvf96801 | v1.0.2.15 |
Cisco WAP361 Wireless-AC N Dual Radio Wall Plate Access Point with PoE | CSCvf96803 | v1.1.0.9 |
Cisco WAP371 Wireless-AC N Access Point with Single Point Setup | CSCvf96814 | v1.3.0.6 |
Cisco WAP551 Wireless-N Single Radio Selectable Band Access Point | CSCvf96818 | v1.2.1.6 |
Cisco WAP561 Wireless-N Dual Radio Selectable Band Access Point | CSCvf96818 | v1.2.1.6 |
Cisco WAP571 Wireless-AC N Premium Dual Radio Access Point with PoE | CSCvf96820 | v1.0.1.11 |
Cisco WAP571E Wireless-AC N Premium Dual Radio Outdoor Access Point | CSCvf96820 | v1.0.1.11 |
Cisco WAP581 Wireless-AC Dual Radio Wave 2 Access Point with 2.5GbE LAN | CSCvg07495 | v1.0.0.7 |
The vulnerability identified by CVE ID CVE-2017-13082 may affect only deployments that support the fast BSS transition (FT) feature and have it enabled.
To determine whether the FT feature is enabled on a Wireless LAN Controller (WLC) device, administrators can log in to the device and use the show wlan command or the show wlan id command, depending on the device model.The following example shows the output of the show wlan id 1 command for a Cisco 5760 Series Wireless LAN Controller device where FT is disabled on wlan 1:(w-3504-2)> show wlan 1 ... Security 802.11 Authentication:........................ Open System FT Support.................................... Enabled ...
To determine whether the FT feature is enabled on a Standalone Access Point running Cisco IOS Software, administrators can log in to the device and use the show running-config | include dot11r command and verify that the command returns output.W-5760-2> show wlan id 1 | include FT\ Support FT Support : Disabled
Please note that FT is not supported on deployments running a Wireless LAN Controller with AireOS version 7.0 and previous releases, hence such deployments are not affected by CVE-2017-13082.AP# show running-config | include dot11r authentication key-management wpa version 2 dot11r
(5500-4) >show sysinfo Manufacturer's Name.............................. Cisco Systems Inc. Product Name..................................... Cisco Controller Product Version.................................. 8.3.102.0 Bootloader Version............................... 1.0.1 Field Recovery Image Version..................... 6.0.182.0 Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27 Build Type....................................... DATA + WPS . . .
The command show advanced eap can be used to verify the configuration change is now active on the device (in bold on the following example output):config advanced eap eapol-key-retries 0
(wlc-hostname)> show advanced eap EAP-Identity-Request Timeout (seconds)........... 30 EAP-Identity-Request Max Retries................. 2 EAP Key-Index for Dynamic WEP.................... 0 EAP Max-Login Ignore Identity Response........... enable EAP-Request Timeout (seconds).................... 30 EAP-Request Max Retries.......................... 2 EAPOL-Key Timeout (milliseconds)................. 1000 EAPOL-Key Max Retries............................ 0 EAP-Broadcast Key Interval....................... 120
Both commands must be entered and WLAN-NUMBER should be replaced with the actual WLAN number. In the following example, the workaround is being implemented on WLAN number 24:config wlan security eap-params enable WLAN-NUMBER config wlan security eap-params eapol-key-retries 0 WLAN-NUMBER
config wlan security eap-params enable 24 config wlan security eap-params eapol-key-retries 0 24
(wlc-hostname)> show wlan 24 WLAN Identifier.................................. X Profile Name..................................... ftpsk Network Name (SSID).............................. ftpsk . . . Tkip MIC Countermeasure Hold-down Timer....... 60 Eap-params.................................... Enabled EAP-Identity-Request Timeout (seconds)..... 30 EAP-Identity-Request Max Retries........... 2 EAP-Request Timeout (seconds).............. 30 EAP-Request Max Retries.................... 2 EAPOL-Key Timeout (milliseconds)........... 1000 EAPOL-Key Max Retries...................... 0
When Cisco releases software updates that address these vulnerabilities, customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
CSCvg42682 |
8.0.152.0: available now 8.2.166.0: available now 8.3.133.0: available now 8.5.105.0: available now 8.6.100.0: TBD |
CSCvg10793 | 8.2.166.0: available now 8.3.133.0: available now 8.5.105.0: available now 8.6.100.0: TBD |
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.
These vulnerabilities were reported to Cisco by Dr. Mathy Vanhoef, PhD. Cisco would like to thank Dr. Vanhoef and Prof. Frank Piessens, both from Katholieke Universiteit Leuven, for their continued help and support during the handling of these vulnerabilities.
Cisco would also like to thank John Van Boxtel from Cypress Semiconductor Corp, who identified an additional attack vector into CVE-2017-13077.
Cisco collaborated with The Industry Consortium for Advancement of Security on the Internet (ICASI) during the investigation and disclosure of these vulnerabilities. More information can be found at http://www.icasi.org/wi-fi-protected-access-wpa-vulnerabilities.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
---|---|---|---|---|
2.9 | Updated first fixed release information for multiple products. | Vulnerable Products | Final | 2018-January-02 |
2.8 | Updated first fixed release information for multiple products. | Vulnerable Products | Final | 2017-December-14 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.