FreeBSD Security Advisory - When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC flag set, the data field was decrypted first without verifying the MIC. When the dta field was encrypted using RC4, for example, when negotiating TKIP as a pairwise cipher, the unauthenticated but decrypted data was subsequently processed. This opened wpa_supplicant(8) to abuse by decryption and recovery of sensitive information contained in EAPOL-Key messages. All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for example, the group key.
580871e8a4fb8190df6331da035c23fcf242dbb8f22aa1f5688ca63b0ad0891e
FreeBSD Security Advisory - A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used.
8e8f49d170cd1b8f44a0c2998b6751ff57fcd2197169fa4e32976845bd0eaf80
Whitepaper called Reinstallation Attacks: Forcing Nonce Reuse in WPA2. This research paper will be presented on at the Computer and Communications Security (CCS) conference on November 1, 2017. This paper details a flaw in the WPA2 protocol itself and most devices that makes use of WPA2 are affected.
7bdd578be202b278bcaaefbcc9d6e1f9481932cdadde98dfd4ce55ede0123ded