[clug] WPA2 4-way handshake client vulnerability

steve jenkin sjenkin at canb.auug.org.au
Thu Oct 19 01:49:27 UTC 2017

[update at end]

> On 17 Oct 2017, at 06:51, Chris Smart via linux <linux at lists.samba.org> wrote:
> https://www.krackattacks.com/
> "In a key reinstallation attack, the adversary tricks a victim into
> reinstalling an already-in-use key. This is achieved by manipulating and
> replaying cryptographic handshake messages. When the victim reinstalls
> the key, associated parameters such as the incremental transmit packet
> number (i.e. nonce) and receive packet number (i.e. replay counter) are
> reset to their initial value. Essentially, to guarantee security, a key
> should only be installed and used once. Unfortunately, we found this is
> not guaranteed by the WPA2 protocol. By manipulating cryptographic
> handshakes, we can abuse this weakness in practice....
> Linux's wpa_supplicant v2.6 is also vulnerable to the installation of an
> all-zero encryption key in the 4-way handshake. This was discovered by
> John A. Van Boxtel. As a result, all Android versions higher than 6.0
> are also affected by the attack, and hence can be tricked into
> installing an all-zero encryption key. The new attack works by injecting
> a forged message 1, with the same ANonce as used in the original message
> 1, before forwarding the retransmitted message 3 to the victim."

Thanks to Chris for raising this on the list.

For those playing at home, Debian & Ubuntu released security patches a few days ago. I’d expect Fedora &RedHat would’ve done the same.
Looking at what I presume is the ‘upstream’ code, there might be another round of minor changes to come after some more testing.

My ZTE Android device hasn’t seen a ‘Play Store’ update, but maybe on Nov 6th - but would Google push kernel updates like this?

Hadn’t checked before today, but iiNet has a firmware update dated 'Oct 18’ & another ‘Oct 19’.
But the date on file downloaded is Aug 2015 and the the release/version numbers are the same [HG658 V100 R001 C138 B020]
No email from iiNet about this yet though.

If anyone has good information on how Android kernel updates are going to be rolled out, I’m very interested.



This Seems to be the ‘upstream’ for wpa_suplicant source code

Ubuntu Security Notice USN-3455-1
> Several security issues were fixed in wpa_supplicant.

DSA-3999-1 wpa -- security update


Source code - can’t find the changelog :(

Revision 1976 - (view) (download) (annotate) - [select for diffs] 
Modified Wed May 25 03:07:15 2016 UTC (16 months, 3 weeks ago) by slh-guest 

From downloaded tarballs:

ls -l debian/changelog
-rw-r--r--  1 steve  staff  107252 14 Oct 23:11 debian/changelog

> wpa (2.3-1+deb8u5) jessie-security; urgency=high
>  * Non-maintainer upload by the Security Team.
>  * Add patches to fix WPA protocol vulnerabilities (CVE-2017-13077,
>    CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
>    CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
>    - hostapd: Avoid key reinstallation in FT handshake
>    - Prevent reinstallation of an already in-use group key
>    - Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases
>    - Fix PTK rekeying to generate a new ANonce
>    - TDLS: Reject TPK-TK reconfiguration
>    - WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode has not been used
>    - WNM: Ignore WNM-Sleep Mode Response without pending request
>    - FT: Do not allow multiple Reassociation Response frames
>    - TDLS: Ignore incoming TDLS Setup Response retries
> -- Yves-Alexis Perez <corsac at debian.org>  Sat, 14 Oct 2017 14:11:26 +0200

Steve Jenkin, IT Systems and Design 
0412 786 915 (+61 412 786 915)
PO Box 38, Kippax ACT 2615, AUSTRALIA

mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list