Introduction
Multiple key reuse vulnerabilities were discovered in the WPA2 protocol. This is a novel attack technique that has been named as KRACK – Key Reinstallation Attacks. The attack exploits a weakness in the WPA2 4-way handshake, it allows key reuse attacks against the client. This can cause the underlying encryption protocol to use known/used keys and can be used by attackers to decrypt traffic transmitted by a client. The vulnerability was discovered by Mathy Vanhoef. Please note that the issue is in the Wi-fi standard and not in specific products. Please refer to CERT/CC for a list of affected products. The table below lists all CVE’s associated with KRACK. Each addresses a specific type of key reuse vulnerability.
| CVE | Descriptions |
| CVE-2017-13077 | Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake. |
| CVE-2017-13078 | Reinstallation of the group key (GTK) in the 4-way handshake. |
| CVE-2017-13079 | Reinstallation of the integrity group key (IGTK) in the 4-way handshake. |
| CVE-2017-13080 | Reinstallation of the group key (GTK) in the group key handshake. |
| CVE-2017-13081 | Reinstallation of the integrity group key (IGTK) in the group key handshake. |
| CVE-2017-13082 | Accepting a re-transmitted Fast BSS Transition (FT) Re-association Request and reinstalling the pairwise encryption key (PTK-TK) while processing it. |
| CVE-2017-13084 | Re-installation of the STK key in the PeerKey handshake. |
| CVE-2017-13086 | Re-installation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake. |
| CVE-2017-13087 | Re-installation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. |
| CVE-2017-13088 | Re-installation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame. |
Background
WPA2 is also known as IEEE 802.11i, it was developed by the Wi-Fi Alliance. It was designed to ensure confidentiality and integrity of the data being transmitted in a wireless network. The transmitted frames are encrypted, mostly using AES in CCM mode. This is a stream cipher and uses a nonce or an initialization vector to generate a keystream which is used to encrypt data. So for a stream cipher to be effective it must generate a unique key stream every time. This can only be achieved if the nonce is not repeated. This is the reason why some stream ciphers are vulnerable to key/nonce reuse attacks.
WPA2 addresses this vulnerability by using an additional incremental parameter called packet number whose initial value is zero when a session starts and is never set to zero in any other case. In the following section we will see how this vulnerability in the WPA2 protocol fails to prevent reusing the nonce.
Vulnerability
The vulnerability is present in the WPA2 protocol 4-way handshake. The researchers claim that this weakness is present in older WPA protocol as well. By manipulating and replaying cryptographic handshake messages, The attacker is able to force the target to use a key that has already been used earlier.
When a client wants to join a network it initiates a 4-way handshake and establishes a new key that will be used to encrypt all the data frames after the handshake has finished. The key is sent to the client in the 3rd message of the 4-way handshake. It is very much possible that the 3rd message is lost or blocked by an attacker and the access point (AP) does not receive an acknowledgement. The AP will re-transmit this message and each time the client re-installs the same encryption key. This action also resets incremental transmit packet number (nonce) and receive replay counter. Resetting the packet number leads to reusing a nonce. Once this is achieved we can attack the underlying encryption protocol. As mentioned earlier the nonce is used to generate the keystream, reusing a nonce results in generation of a predicted keystream.
Exploitation
The researchers demonstrated a PoC against an Android smartphone, they were able to decrypt the data transmitted by the target. In some scenarios decryption of received data is also possible. The exploitation methods against Android 6.0 and Linux are quite potent as the attacker is able to force the target to use an all zero encryption key. Mathy Vanhoef has released a PoC to test if an access-point is vulnerable to KRACK.
Mitigation
– Please refer to the CERT/CC for a list of affected products and apply the patches accordingly. A coordinated release was put into place by members of the ICASI.
– Windows operating system is vulnerable only to CVE-2017-13080. Microsoft has addressed this vulnerability in the October 2017 patch release. Please use QID 91411 to detect vulnerable Windows machines.
– Cisco advisory mentions that CVE-2017-13084 does not effect any product. Currently workarounds are present only for CVE-2017-13082. Please refer the official Cisco advisory for the same.
– We request organizations to scan their networks with the QIDs listed below to detect vulnerable targets. This section will be updated as Qualys releases more detections for supported vendors.
| CVE(s) | QID | Description |
| CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 |
176179 | Debian Security Update for wpa (DSA 3999-1) |
| 196947 | Ubuntu Security Notification for Wpa Vulnerabilities (USN-3455-1) (KRACK Attack) | |
| 157578 | Oracle Enterprise Linux Security Update for wpa_supplicant (ELSA-2017-2907) (KRACK Attack) | |
| 276929 | Fedora Security Update for wpa_supplicant (FEDORA-2017-60bfb576b7) | |
| 276928 | Fedora Security Update for wpa_supplicant (FEDORA-2017-12e76e8364) | |
| CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088 |
170428 | SUSE Enterprise Linux Security Update for wpa_supplicant (SUSE-SU-2017:2752-1) (KRACK Attack) |
| 170424 | SUSE Enterprise Linux Security Update for wpa_supplicant (SUSE-SU-2017:2745-1) (KRACK Attack) | |
| CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 |
236530 | Red Hat Update for wpa_supplicant (RHSA-2017:2907) |
| 256319 | CentOS Security Update for wpa_supplicant (CESA-2017:2907) (KRACK) | |
| CVE-2017-13080 | 91411 | Microsoft Windows Security Update October 2017 |
| CVE-2017-13077, CVE-2017-13080, CVE-2017-13078, CVE-2017-13079, CVE-2017-13081, CVE-2017-13082, CVE-2017-13087 |
157579 | Oracle Enterprise Linux Security Update for wpa_supplicant (ELSA-2017-2911) (KRACK Attack) |
| CVE-2017-13077, CVE-2017-13078, CVE-2017-13080, CVE-2017-13087 |
236531 | Red Hat Update for wpa_supplicant (RHSA-2017:2911) |
| 256320 | CentOS Security Update for wpa_supplicant (CESA-2017:2911) (KRACK) | |
| CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 |
43559 | HPE ArubaOS WPA2 Key Reinstallation (KRACKs Attack) Vulnerabilities (ARUBA-PSA-2017-007) |
As always please continue to follow ThreatProtect for more coverage on this vulnerability.
References
Key Reinstallation Attacks Breaking WPA2 by forcing nonce reuse
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
Black Hat Europe – KEY REINSTALLATION ATTACKS: BREAKING THE WPA2 PROTOCOL
CERT/CC : 228519
ICASI:Wi-Fi Protected Access (WPA) Vulnerabilities
Stream cipher attack
