Lucene search

K
centosCentOS ProjectCESA-2017:2907
HistoryOct 17, 2017 - 9:54 p.m.

wpa_supplicant security update

2017-10-1721:54:54
CentOS Project
lists.centos.org
157
wpa_supplicant
wpa2
krack
vulnerability
security update
wi-fi
cryptographic handshakes
cve-2017-13077
cve-2017-13078
cve-2017-13080
cve-2017-13082
cve-2017-13086
cve-2017-13087
cve-2017-13088
key reinstallation attacks

CVSS2

5.8

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.004

Percentile

74.4%

CentOS Errata and Security Advisory CESA-2017:2907

The wpa_supplicant packages contain an 802.1X Supplicant with support for WEP, WPA, WPA2 (IEEE 802.11i / RSN), and various EAP authentication methods. They implement key negotiation with a WPA Authenticator for client stations and controls the roaming and IEEE 802.11 authentication and association of the WLAN driver.

Security Fix(es):

  • A new exploitation technique called key reinstallation attacks (KRACK) affecting WPA2 has been discovered. A remote attacker within Wi-Fi range could exploit these attacks to decrypt Wi-Fi traffic or possibly inject forged Wi-Fi packets by manipulating cryptographic handshakes used by the WPA2 protocol. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)

Red Hat would like to thank CERT for reporting these issues. Upstream acknowledges Mathy Vanhoef (University of Leuven) as the original reporter of these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2017-October/084731.html

Affected packages:
wpa_supplicant

Upstream details at:
https://access.redhat.com/errata/RHSA-2017:2907

OSVersionArchitecturePackageVersionFilename
CentOS7x86_64wpa_supplicant<Β 2.6-5.el7_4.1wpa_supplicant-2.6-5.el7_4.1.x86_64.rpm

CVSS2

5.8

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

0.004

Percentile

74.4%