Wind River Support Network

HomeSecurity NoticesWind River Pulsar Linux Security Alert for ‘WPA security bug’ (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)
Recommended

Wind River Pulsar Linux Security Alert for ‘WPA security bug’ (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)

Released: Oct 16, 2017     Updated: Oct 18, 2017

Summary

WPA packet number reuse with replayed messages and key reinstallation. Effect on all our supporting release.


Product Version

Pulsar Linux 8

Description

All our supporting releases need those fixes.


WPA packet number reuse with replayed messages and key reinstallation


  • CVE-2017-13077
  • CVE-2017-13078
  • CVE-2017-13079
  • CVE-2017-13080
  • CVE-2017-13081
  • CVE-2017-13082
  • CVE-2017-13084 (not applicable)
  • CVE-2017-13086
  • CVE-2017-13087
  • CVE-2017-13088

A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used.

The patches have been pushed to GitHub

https://github.com/WindRiver-OpenSourceLabs/oe-core/commit/93ce223a5865b0d9de5f5daab7ae1871dd5aee5e

https://github.com/WindRiver-OpenSourceLabs/meta-openembedded/commit/3f8175a1bb8d179e00f62e08cae44014f6c60239


Installation Notes

Several upgrading related packages are also upgraded, so before system upgrade, they should be upgraded firstly. In each container:


# smart upgrade overc-utils overc-system-agent dom0-contctl dtach

Please note, not all these packages above exist in all containers, so
there should be some warning messages as below, it is hramless.
...
'overc-system-agent' matches no installed packages
'dom0-contctl' matches no installed packages
...

After upgrade those tool packages, we can start to upgrade whole system:

  1. switch to dom0 Method to switch to dom0, details as "Switching Containers"

    https://knowledge.windriver.com/en-us/000_Products/000/060/010/010/000_Wind_River_Pulsar_Linux_System_Administration_Guide%2C_8/020/010

  2. upgrade system in dom0

    /opt/overc-system-agent/overc system upgrade dom0 -r

more details see "Upgrading the System":

https://knowledge.windriver.com/en-us/000_Products/000/060/010/010/000_Wind_River_Pulsar_Linux_System_Administration_Guide%2C_8/040/000


Live chat
Online