[clug] WPA2 4-way handshake client vulnerability
sjenkin at canb.auug.org.au
Thu Oct 19 01:49:27 UTC 2017
[update at end]
> On 17 Oct 2017, at 06:51, Chris Smart via linux <linux at lists.samba.org> wrote:
> "In a key reinstallation attack, the adversary tricks a victim into
> reinstalling an already-in-use key. This is achieved by manipulating and
> replaying cryptographic handshake messages. When the victim reinstalls
> the key, associated parameters such as the incremental transmit packet
> number (i.e. nonce) and receive packet number (i.e. replay counter) are
> reset to their initial value. Essentially, to guarantee security, a key
> should only be installed and used once. Unfortunately, we found this is
> not guaranteed by the WPA2 protocol. By manipulating cryptographic
> handshakes, we can abuse this weakness in practice....
> Linux's wpa_supplicant v2.6 is also vulnerable to the installation of an
> all-zero encryption key in the 4-way handshake. This was discovered by
> John A. Van Boxtel. As a result, all Android versions higher than 6.0
> are also affected by the attack, and hence can be tricked into
> installing an all-zero encryption key. The new attack works by injecting
> a forged message 1, with the same ANonce as used in the original message
> 1, before forwarding the retransmitted message 3 to the victim."
Thanks to Chris for raising this on the list.
For those playing at home, Debian & Ubuntu released security patches a few days ago. I’d expect Fedora &RedHat would’ve done the same.
Looking at what I presume is the ‘upstream’ code, there might be another round of minor changes to come after some more testing.
My ZTE Android device hasn’t seen a ‘Play Store’ update, but maybe on Nov 6th - but would Google push kernel updates like this?
Hadn’t checked before today, but iiNet has a firmware update dated 'Oct 18’ & another ‘Oct 19’.
But the date on file downloaded is Aug 2015 and the the release/version numbers are the same [HG658 V100 R001 C138 B020]
No email from iiNet about this yet though.
If anyone has good information on how Android kernel updates are going to be rolled out, I’m very interested.
This Seems to be the ‘upstream’ for wpa_suplicant source code
Ubuntu Security Notice USN-3455-1
> Several security issues were fixed in wpa_supplicant.
DSA-3999-1 wpa -- security update
Source code - can’t find the changelog :(
Revision 1976 - (view) (download) (annotate) - [select for diffs]
Modified Wed May 25 03:07:15 2016 UTC (16 months, 3 weeks ago) by slh-guest
From downloaded tarballs:
ls -l debian/changelog
-rw-r--r-- 1 steve staff 107252 14 Oct 23:11 debian/changelog
> wpa (2.3-1+deb8u5) jessie-security; urgency=high
> * Non-maintainer upload by the Security Team.
> * Add patches to fix WPA protocol vulnerabilities (CVE-2017-13077,
> CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
> CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
> - hostapd: Avoid key reinstallation in FT handshake
> - Prevent reinstallation of an already in-use group key
> - Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases
> - Fix PTK rekeying to generate a new ANonce
> - TDLS: Reject TPK-TK reconfiguration
> - WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode has not been used
> - WNM: Ignore WNM-Sleep Mode Response without pending request
> - FT: Do not allow multiple Reassociation Response frames
> - TDLS: Ignore incoming TDLS Setup Response retries
> -- Yves-Alexis Perez <corsac at debian.org> Sat, 14 Oct 2017 14:11:26 +0200
Steve Jenkin, IT Systems and Design
0412 786 915 (+61 412 786 915)
PO Box 38, Kippax ACT 2615, AUSTRALIA
mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
More information about the linux