Siemens’ Mitigation Plan for KRACK Holes

Tuesday, November 14, 2017 @ 08:11 PM gHale


Siemens has a mitigation plan to remedy issues in its SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS Products, according to a report with ICS-CERT.

Successful exploitation of these vulnerabilities, discovered by Mathy Vanhoef of the Katholieke Universiteit Leuven in Belgium, could potentially allow an attacker within the radio range of the wireless network to decrypt, replay, or inject forged network packets into the wireless communication.

RELATED STORIES
ABB Working on Fix for TropOS
Philips Clears Hole in Medical Systems
AutomationDirect Mitigates Software Glitch
Siemens Fixes SIMATIC PCS 7 Issue

Siemens reports the key reinstallation attacks (KRACK) potentially affect the following Siemens industrial products:
• SCALANCE W1750D: All versions
• SCALANCE WLC711: All versions
• SCALANCE WLC712: All versions
• SCALANCE W-700 (IEEE 802.11n): All versions prior to V6.2.1
• SCALANCE W-700 (IEEE 802.11a/b/g): All versions
• SIMATIC IWLAN-PB/LINK: All versions
• RUGGEDCOM RX1400 with WLAN interface: All versions
• RUGGEDCOM RS9xxW: All versions
• SIMATIC Mobile Panel 277(F) IWLAN: All versions
• SIMATIC ET200 PRO IM154-6 PN IWLAN: All versions
• SINAMICS V20 Smart Access Module: All versions

These vulnerabilities have been publicly disclosed. These vulnerabilities are exploitable from an adjacent network. High skill level is needed to exploit.

In one vulnerability, Wi-Fi protected access (WPA and WPA2) allows reinstallation of the pairwise key in the four-way handshake.

CVE-2017-13077 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.2.

In addition, Wi-Fi protected access (WPA and WPA2) allows reinstallation of the group temporal key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients.

CVE-2017-13078 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.2.

Also, Wi-Fi protected access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the integrity group temporal key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients.

CVE-2017-13079 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.9.

In addition, Wi-Fi protected access (WPA and WPA2) allows reinstallation of the group temporal key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients.

CVE-2017-13080 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.2.

Also, Wi-Fi protected access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the integrity group temporal key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients.

CVE-2017-13081 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.2.

In another vulnerability, Wi-Fi protected access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the pairwise transient key (PTK) temporal key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

CVE-2017-13082 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.8.

Additionally, Wi-Fi protected access (WPA and WPA2) allows reinstallation of the station-to-station-link (STSL) transient key (STK) during the PeerKey handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

CVE-2017-13084 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.8.

Also, Wi-Fi protected access (WPA and WPA2) allows reinstallation of the tunneled direct-link setup (TDLS) peer key (TPK) during the TDLS handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.

CVE-2017-13086 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.8.

Wi-Fi protected access (WPA and WPA2) that support 802.11v allows reinstallation of the group temporal key (GTK) when processing a wireless network management (WNM) sleep mode response frame, allowing an attacker within radio range to replay frames from access points to clients.

CVE-2017-13087 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.2.

IN addition, Wi-Fi protected access (WPA and WPA2) that support 802.11v allows reinstallation of the integrity group temporal key (IGTK) when processing a wireless network management (WNM) sleep mode response frame, allowing an attacker within radio range to replay frames from access points to clients.

CVE-2017-13088 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.2.

The products see use in the chemical, energy, food and agriculture, healthcare and public health, transportation systems, and water and wastewater systems sectors. They also see action on a global basis.

Siemens has provided the following update to address the vulnerabilities in the affected product:
SCALANCE W-700 (IEEE 802.11n): V6.2.1.

SCALANCE W1750D devices are not vulnerable in the default configuration. Only users who enable the “Mesh” or “WiFi uplink” functionality are affected by the vulnerabilities. Disabling these functionalities will completely mitigate the vulnerabilities.

SCALANCE WLC711 and WLC712 can deactivate IEEE 802.11r, “MeshConnect,” and “Client Bridge Mode” to reduce the risk, provided these modes have been activated and are not required for the operation of the wireless environment. All three functions are turned off by default.

SCALANCE W-700 standalone Access Points, RUGGEDCOM RX1400 and RS9xxW, are not vulnerable if operated in Access Point mode.

SCALANCE W-700 standalone devices, SIMATIC Mobile Panel 277F IWLAN, and SIMATIC ET200 WLAN, are not affected if the iPCF, iPCF-MC, or iPCF-HT features are enabled.

For the remaining affected products or if the mitigations outlined previously cannot be implemented, Siemens recommends the following mitigations:
• Ensure multiple layers of security. Do not depend on the security of WPA2 alone
• Use WPA2-CCMP (AES) instead of WPA2-TKIP or WPA-GCMP, if supported by the WLAN clients, to reduce the risk of potential attacks
• Apply defense-in-depth

For more information on this vulnerability and more detailed mitigation instructions, see Siemens Security Advisory SSA-901333.



Leave a Reply

You must be logged in to post a comment.