PN1003 | Stratix 5100 Wireless Access Point/Workgroup Bridge affected by Key Reinstallation Attacks (KRACK) research paper

Introduction

Description

Version 1.1 - November 6, 2017
Version 1.0 - October 23, 2017

On October 16, 2017, Mathy Vanhoef of the University of Leuven released a research paper detailing several vulnerabilities in the Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access II (WPA2) protocols. Rockwell Automation, along with Cisco Systems, Inc. ("Cisco"), have determined that all versions of the Allen-Bradley® Stratix® 5100 Wireless Access Point/Workgroup Bridge ("Stratix 5100 WAP/WGB") are affected by one of these ten vulnerabilities when the device has been configured with a specific non-default configuration. This vulnerability can be exploited by a Key Reinstallation Attack (KRACK), in which a malicious actor tricks the victim into reinstalling a key that is already in-use. A successful attack may allow the attacker to operate as a "man-in-the-middle" between the device and the wireless network. This could then be leveraged to manipulate the data stream, remove TLS/SSL and/or grab credentials and confidential information in transmission.

The Stratix 5100 wireless access point provides an 802.11 compliant Wi-Fi implementation that wirelessly connects client devices to an Ethernet based network. The vulnerabilities are solely exploitable in close proximity to a device that is actively joining to a previously joined wireless network.

Customers using this device are encouraged to evaluate the mitigations provided below, and apply the applicable mitigations to their deployed products. Additional details relating to the vulnerability are provided herein.

AFFECTED PRODUCTS

Stratix 5100 Wireless Access Point/ Workgroup Bridge
Version 15.3(3)JC1 and earlier

This includes the following catalogs:

• 1783-WAPAK9
• 1783-WAPBK9
• 1783-WAPCK9
• 1783-WAPEK9
• 1783-WAPNK9
• 1783-WAPTK9
• 1783-WAPZK9

VULNERABILITY DETAILS

Key Reinstallation Attacks ("KRACK") work against the four-way handshake of the WPA2 protocol. KRACK takes advantage of the retransmission of a handshake message to prompt the installation of the same encryption key every time it receives message 3 from the Access Point ("AP"). Retransmission of the handshake message from the AP occurs if a proper client acknowledgement is not received to the initial message; retransmission resets the nonce value and replay counter to their initial values. A malicious actor could force these nonce resets by replaying the appropriate handshake message, which could allow for injection and decryption of arbitrary packets, hijacking of TCP connections, injection of HTTP content, or replaying of unicast or multicast data frames on the targeted device.

CVE-2017-13082 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 6.9/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N

The original public security advisory issued by Cisco is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

The report by US-CERT is available at the following link: https://www.kb.cert.org/vuls/id/228519

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Rockwell Automation recommends that all customers patch the clients that connect to the Stratix 5100 WAP/WGB, and recommends contacting your vendor to get the most updated patch that is compatible with your client devices. However, patching the client only protects the connection formed by that specific client. In order to protect all future clients that may be added to your system, Rockwell Automation recommends patching the Stratix 5100 WAP/WGB when the firmware is available.

UPDATE: NOVEMBER 6, 2017
After further investigation, Rockwell Automation has determined that since the vulnerability affects Stratix 5100 access points with 802.11r enabled, and 802.11r is not fully supported on the Stratix 5100 WAP/WGB, that access-point users are not affected by this vulnerability, and patching the Stratix 5100 WAP/WGB is not required when the device is operating as an access point. To verify that 802.11r is disabled in your device, please refer to this Knowledgebase Article ID 1068007. It is still suggested that users refer to manufacturers of their connected wireless client devices for suggested patch procedures.

Alternatively, a workaround exists for CVE-2017-13082. If you are using a Stratix 5100 in Access Point ("AP") mode (and not in Workgroup Bridge mode ("WGB") and you have enabled 802.11r fast roaming, it is recommended that the 802.11r fast roaming function should be disabled. In order to disable 802.11r, do one of the following:

• Open the Command Line Interface (CLI) and issue the following commands with administrative privileges:

• In the web interface, Navigate to the "Network" tab, select "Network Interface", then "Radio0-802.11n 2G.hz", "Settings", and verify the disable radio button next to "11r Configuration" is selected. Repeat these steps with "Radio0-802.11n 5G.hz"

NOTE: Disabling 802.11r could have a negative impact on the performance and availability of a customer’s system. Customers are encouraged to evaluate the impact to specific environments before performing this workaround

GENERAL SECURITY GUIDELINES

1. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted web sites and attachments.
2. Block all traffic to EtherNet/IP or other CIP™ protocol-based devices from outside the Manufacturing Zone by blocking or restricting access to TCP and UDP Port# 2222 and Port# 44818 using proper network infrastructure controls, such as firewalls, Unified Threat Management ("UTM") devices, or other security appliances. For more information on TCP/UDP ports used by Rockwell Automation Products, see Knowledgebase Article ID 898270.
3. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet
4. Locate control system networks and devices behind firewalls, and isolate them from the business network.
5. When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

REVISION HISTORY

KCS Status