PHOENIX CONTACT WLAN enabled devices utilizing WPA2 encryption (Update A)

VDE-2017-003A (2017-11-09 16:20 UTC+0100)

Affected Vendors

PHOENIX CONTACT

Affected Products

BL2 BPC *, BL2 PPC *, FL COMSERVER WLAN 232/422/485, FL WLAN 110x, FL WLAN 210x, FL WLAN 510x, FL WLAN 230 AP 802-11*, FL WLAN 24 AP 802-11*, FL WLAN 24 DAP 802-11*, FL WLAN 24 EC 802-11*, FL WLAN EPA*, FL WLAN SPA, ITC 8113*, RAD-80211-XD*, RAD-WHG/WLAN-XD, TPC 6013*, VMT 30xx, VMT 50xx, VMT 70xx, plus variants (see “Impact” for details)

Vulnerability Type

Gain Information

Summary

Multiple security issues and vulnerabilities within the WPA2 standard have been identified and publicized by Mr. Mathy Vanhoef of KU Leuven. These vulnerabilities may allow the reinstallation of a pairwise transient key, a group key, or an integrity key on either a wireless client or a wireless access point (AP). In consequence, an attacker could establish a man-in-the-middle position between AP and client facilitating packet decryption and injection. Published advisories: VDE-2017-003 (2017-10-26 10:42 UTC+0100), VDE-2017-003A (2017-11-09 16:20 UTC+0100)

Impact

PHOENIX CONTACT embedded devices running in AP mode are not affected by these vulnerabilities. If devices are used in client or repeater mode, an attacker could in theory decrypt any packet sent by the client. Devices of the FL WLAN 110x, 210x, and 510x product families are only affected to a very limited extent. With these devices, only data packets sent within three seconds after key renewal could possibly be decrypted by a successful attacker. In general, if TCP SYN packets are decrypted, this can be used to hijack TCP connections and inject malicious traffic into unencrypted protocols. However, to perform the attack, the attacker must be significantly closer to the WLAN client than the access point. In industrial or indoor applications, the attacker would have to be inside the plant. A successful external attack therefore seems to be very difficult. Furthermore, the WPA2 password cannot be compromised using a KRACK attack. It is not possible for the attacker to gain full access to the network. However, note that if WPA-TKIP is used instead of AES-CCMP, the impact of this vulnerability is much more severe, because an attacker can then not only decrypt packets, but also forge and inject packets directly into the WLAN.

Update 2017-11-09: PHOENIX CONTACT has provided the following overview of affected product names and article numbers. For products of which several variants are available, the product name was grouped and shortened (identifiable by “*”). The list of article numbers contains all product variants.

Articles

Article numbers

Product state

BL2 BPC *

2404777, 2404845

current

BL2 PPC *

2404844, 2404846

current

FL COMSERVER WLAN 232/422/485

2313559

discontinued

FL WLAN 110x

2702538, 2702534

current

FL WLAN 210x

2702535, 2702540

current

FL WLAN 510x

2700718, 2701093, 2701850

current

FL WLAN 230 AP 802-11*

2884444, 2700452

discontinued

FL WLAN 24 AP 802-11*

2700448, 2884075

discontinued

FL WLAN 24 DAP 802-11*

2884279, 2700451

discontinued

FL WLAN 24 EC 802-11*

2884130, 2700449

discontinued

FL WLAN EPA*

2692791, 2700488, 2701169

discontinued

FL WLAN SPA

2884761

discontinued

ITC 8113*

2403738, 2403485, 2402911, 2403267, 2402979, 2402957 - 2402964

current

RAD-80211-XD*

2885728, 2900046, 2900047, 2990011

discontinued

RAD-WHG/WLAN-XD

2900178

current

TPC 6013*

2913784, 2700740, 2700611, 2701316

discontinued

VMT 30xx

2913852, 2701003, 2700969, 2913959, 2700878

discontinued

VMT 50xx

2887580, 2887593, 2887593, 2913810

discontinued

VMT 70xx

2400158 - 2400161

current

Solution

PHOENIX CONTACT is actively working on these vulnerabilities. CERT@VDE will update this advisory as soon as further significant details are provided by the vendor, especially with information about patches provided.

For PHOENIX CONTACT devices running Microsoft Windows, we recommend to apply the security update provided by Microsoft. If you are using WPA-TKIP in your WLAN, you should switch to AES-CCMP immediately.

This advisory will be updated as further details become available.

Reported by

Mathy Vanhoef of imec-DistriNet, KU Leuven published this vulnerability on https://www.krackattacks.com.

PHOENIX CONTACT reported this vulnerability to CERT@VDE.