ICS-CERT Publishes Another Vendor KRACK Advisory

Yesterday the DHS ICS-CERT published a control system security advisory for WLAN enabled products from Phoenix Contact. This is for the  Key Reinstallation Attack – (KRACK) set of vulnerabilities. ICS-CERT credits the original KRACK researcher, Mathy Vanhoef of imec-DistriNet, for reporting the vulnerability, but this instance was self-reported by Phoenix Contact.

This advisory only reports three of the ten reported KRACK CVE. It is not clear if the vendor has evaluated the other potential KRACK instances and found them missing (not implemented) on their devices, or just thought that these were the most serious implementation issues in their devices.

The Phoenix Contact advisory at CERT@VDE provides much more detailed information about the extent of the vulnerability. They report:

“PHOENIX CONTACT embedded devices running in AP mode are not affected by these vulnerabilities. If devices are used in client or repeater mode, an attacker could in theory decrypt any packet sent by the client. Devices of the FL WLAN 110x, 210x, and 510x product families are only affected to a very limited extent. With these devices, only data packets sent within three seconds after key renewal could possibly be decrypted by a successful attacker. In general, if TCP SYN packets are decrypted, this can be used to hijack TCP connections and inject malicious traffic into unencrypted protocols. However, to perform the attack, the attacker must be significantly closer to the WLAN client than the access point. In industrial or indoor applications, the attacker would have to be inside the plant. A successful external attack therefore seems to be very difficult. Furthermore, the WPA2 password cannot be compromised using a KRACK attack. It is not possible for the attacker to gain full access to the network. However, note that if WPA-TKIP is used instead of AES-CCMP, the impact of this vulnerability is much more severe, because an attacker can then not only decrypt packets, but also forge and inject packets directly into the WLAN.”

TIRADE ALERT – Another vendor provides information on KRACK and ICS-CERT has still failed to publish an alert about the vulnerability, or even just a link to the original paper. I have been complaining about this inaction on the part of ICS-CERT where ever I talk about ICS security issues. I had an interesting conversation with Anton Shipulin, of Kaspersky Labs, over on LinkedIn about the issue and he noted that this could be the result of the recent NCCIC reorganization that ‘moved’ ICS-CERT into NCCIC. I still have not seen anything from DHS about the move, but if the reorganization changed the information sharing responsibilities of ICS-CERT to the control system security community, then DHS needs to reverse that change as quickly as possible. Perhaps Congress needs to look into this.