KRACK – Key Reinstallation Attacks – WPA2 Vulnerabilities

KRACK – Key Reinstallation Attacks – WPA2 Vulnerabilities


OVERVIEW

A weakness affecting almost all implementations of the Wi-Fi Protected Access 2 (WPA2) protocol, Wi-Fi Protected Access 2, has recently been disclosed. The WPA2 handshake can be altered to reinstall a key that is already in use by replaying a portion of the handshake message and reinstalling a session key that is already in use. An attacker within range of an access point or client may be able to use KRACK (Key Reinstallation Attack) to decrypt packets, inject HTTP content, hijack TCP connections, and perform out of sequence reception and retransmission once a Man-in-the-Middle session is established.

THREAT INTELLIGENCE

At this time we are not aware of this vulnerability being exploited in the wild, however the researcher who discovered the vulnerability has demonstrated a proof-of-concept exploit against an Android smartphone. The Masergy Our Threat Intelligence team will continue to monitor for updates as more information becomes available.

VULNERABILITIES

  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: Reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: Reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: Reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

SYSTEMS AFFECTED

Any device supporting WPA1 or WPA2 is likely vulnerable to at least one of the attacks.

TECHNICAL SUMMARY

The main attack is against the 4-way handshake of the WPA2 protocol. This handshake is performed when a client joins a protected Wi-Fi network and is used during the authentication process. During the 4-way handshake, an encryption key is negotiated that is used to encrypt all subsequent traffic. In a key reinstallation attack, the attacker tricks the victim into reinstalling an already in- use key by manipulating and replaying the cryptographic handshake message. Once the victim installs the manipulated key, the attacker can then replay, decrypt, and forge packets in the conversation.

For more details please reference Vanhoef and Piessens’ paper.

RECOMMENDATIONS

We recommend the following actions be taken:

  • Install security updates for your access points and clients as soon as they are available. The US-CERT is maintaining a database of vendor advisories.
  • Disable client functionality (used in repeater modes).
  • Disable 802.11r (fast roaming).

REFERENCES

Mathy Vanhoef
www.krackattacks.com
papers.mathyvanhoef.com/ccs2017.pdf

CVE

nvd.nist.gov/vuln/detail/CVE-2017-13077
nvd.nist.gov/vuln/detail/CVE-2017-13078
nvd.nist.gov/vuln/detail/CVE-2017-13079
nvd.nist.gov/vuln/detail/CVE-2017-13080
nvd.nist.gov/vuln/detail/CVE-2017-13081
nvd.nist.gov/vuln/detail/CVE-2017-13082
nvd.nist.gov/vuln/detail/CVE-2017-13084
nvd.nist.gov/vuln/detail/CVE-2017-13086
nvd.nist.gov/vuln/detail/CVE-2017-13087
nvd.nist.gov/vuln/detail/CVE-2017-13088

US-CERT
www.kb.cert.org/vuls/id/228519

Bleeping Computer
www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

We use cookies to improve your web experience, better understand how our site is used, and personalize advertising. By continuing to use this site you are giving us your consent to do this. Read more and make cookie choices by visiting our privacy policy.