KRACK: WPA2 Key Reinstallation Attack

Introduction
Multiple key reuse vulnerabilities were discovered in the WPA2 protocol. This is a novel attack technique that has been named as KRACKKey Reinstallation Attacks. The attack exploits a weakness in the WPA2 4-way handshake, it allows  key reuse attacks against the client. This can cause the underlying encryption protocol to use known/used keys and can be used by attackers to decrypt traffic transmitted by a client. The vulnerability was discovered by Mathy Vanhoef. Please note that the issue is in the Wi-fi standard and not in specific products. Please refer to CERT/CC for a list of affected products. The table below lists all CVE’s associated with KRACK. Each addresses a specific type of key reuse vulnerability.

CVE Descriptions
CVE-2017-13077 Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
CVE-2017-13078 Reinstallation of the group key (GTK) in the 4-way handshake.
CVE-2017-13079 Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
CVE-2017-13080 Reinstallation of the group key (GTK) in the group key handshake.
CVE-2017-13081 Reinstallation of the integrity group key (IGTK) in the group key handshake.
CVE-2017-13082 Accepting a re-transmitted Fast BSS Transition (FT) Re-association Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
CVE-2017-13084 Re-installation of the STK key in the PeerKey handshake.
CVE-2017-13086 Re-installation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
CVE-2017-13087 Re-installation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
CVE-2017-13088 Re-installation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

Background
WPA2 is also known as IEEE 802.11i, it was developed by the Wi-Fi Alliance. It was designed to ensure confidentiality and integrity of the data being transmitted in a wireless network. The transmitted frames are encrypted, mostly using AES in CCM mode. This is a stream cipher and uses a nonce or an initialization vector to generate a keystream which is used to encrypt data. So for a stream cipher to be effective it must generate a unique key stream every time. This can only be achieved if the nonce is not repeated. This is the reason why some stream ciphers are vulnerable to key/nonce reuse attacks.

WPA2 addresses this vulnerability by using an additional incremental parameter called packet number whose initial value is zero when a session starts and is never set to zero in any other case. In the following section we will see how this vulnerability in the WPA2 protocol fails to prevent reusing the nonce.

Vulnerability
The vulnerability is present in the WPA2 protocol 4-way handshake. The researchers claim that this weakness is present in older WPA protocol as well. By manipulating and replaying cryptographic handshake messages, The attacker is able to force the target to use a key that has already been used earlier.

When a client wants to join a network it initiates a 4-way handshake and establishes a new key that will be used to encrypt all the data frames after the handshake has finished. The key is sent to the client in the 3rd message of the 4-way handshake. It is very much possible that the 3rd message is lost or blocked by an attacker and the access point (AP) does not receive an acknowledgement. The AP will re-transmit this message and each time the client re-installs the same encryption key. This action also resets incremental transmit packet number (nonce) and receive replay counter. Resetting the packet number leads to reusing a nonce. Once this is achieved we can attack the underlying encryption protocol. As mentioned earlier the nonce is used to generate the keystream, reusing a nonce results in generation of a predicted keystream.

Exploitation
The researchers demonstrated a PoC against an Android smartphone, they were able to decrypt the data transmitted by the target. In some scenarios decryption of received data is also possible. The exploitation methods against Android 6.0 and Linux are quite potent as the attacker is able to force the target to use an all zero encryption key. Mathy Vanhoef has released a PoC to test if an access-point is vulnerable to KRACK.

Mitigation
– Please refer to the CERT/CC for a list of affected products and apply the patches accordingly. A coordinated release was put into place by members of the ICASI.

– Windows operating system is vulnerable only to CVE-2017-13080. Microsoft has addressed this vulnerability in the October 2017 patch release. Please use QID 91411 to detect vulnerable Windows machines.

– Cisco advisory mentions that CVE-2017-13084 does not effect any product. Currently workarounds are present only for CVE-2017-13082. Please refer the official Cisco advisory for the same.

– We request organizations to scan their networks with the QIDs listed below to detect vulnerable targets. This section will be updated as Qualys releases more detections for supported vendors.

CVE(s) QID Description
CVE-2017-13077,
CVE-2017-13078,
CVE-2017-13079,
CVE-2017-13080,
CVE-2017-13081,
CVE-2017-13082,
CVE-2017-13086,
CVE-2017-13087,
CVE-2017-13088
176179 Debian Security Update for wpa (DSA 3999-1)
196947 Ubuntu Security Notification for Wpa Vulnerabilities (USN-3455-1) (KRACK Attack)
157578 Oracle Enterprise Linux Security Update for wpa_supplicant (ELSA-2017-2907) (KRACK Attack)
276929 Fedora Security Update for wpa_supplicant (FEDORA-2017-60bfb576b7)
276928 Fedora Security Update for wpa_supplicant (FEDORA-2017-12e76e8364)
CVE-2017-13078,
CVE-2017-13079,
CVE-2017-13080,
CVE-2017-13081,
CVE-2017-13087,
CVE-2017-13088
170428 SUSE Enterprise Linux Security Update for wpa_supplicant (SUSE-SU-2017:2752-1) (KRACK Attack)
170424 SUSE Enterprise Linux Security Update for wpa_supplicant (SUSE-SU-2017:2745-1) (KRACK Attack)
CVE-2017-13077,
CVE-2017-13078,
CVE-2017-13080,
CVE-2017-13082,
CVE-2017-13086,
CVE-2017-13087,
CVE-2017-13088
236530 Red Hat Update for wpa_supplicant (RHSA-2017:2907)
256319 CentOS Security Update for wpa_supplicant (CESA-2017:2907) (KRACK)
CVE-2017-13080 91411 Microsoft Windows Security Update October 2017
CVE-2017-13077,
CVE-2017-13080,
CVE-2017-13078,
CVE-2017-13079,
CVE-2017-13081,
CVE-2017-13082,
CVE-2017-13087
157579 Oracle Enterprise Linux Security Update for wpa_supplicant (ELSA-2017-2911) (KRACK Attack)
CVE-2017-13077,
CVE-2017-13078,
CVE-2017-13080,
CVE-2017-13087
236531 Red Hat Update for wpa_supplicant (RHSA-2017:2911)
256320 CentOS Security Update for wpa_supplicant (CESA-2017:2911) (KRACK)
CVE-2017-13077,
CVE-2017-13078,
CVE-2017-13079,
CVE-2017-13080,
CVE-2017-13081,
CVE-2017-13082,
CVE-2017-13084,
CVE-2017-13086,
CVE-2017-13087,
CVE-2017-13088
43559 HPE ArubaOS WPA2 Key Reinstallation (KRACKs Attack) Vulnerabilities (ARUBA-PSA-2017-007)

As always please continue to follow ThreatProtect for more coverage on this vulnerability.

References
Key Reinstallation Attacks Breaking WPA2 by forcing nonce reuse
Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
Black Hat Europe – KEY REINSTALLATION ATTACKS: BREAKING THE WPA2 PROTOCOL
CERT/CC : 228519
ICASI:Wi-Fi Protected Access (WPA) Vulnerabilities
Stream cipher attack

 

Leave a Reply

Your email address will not be published. Required fields are marked *