A weakness affecting almost all implementations of the Wi-Fi Protected Access 2 (WPA2) protocol, Wi-Fi Protected Access 2, has recently been disclosed. The WPA2 handshake can be altered to reinstall a key that is already in use by replaying a portion of the handshake message and reinstalling a session key that is already in use. An attacker within range of an access point or client may be able to use KRACK (Key Reinstallation Attack) to decrypt packets, inject HTTP content, hijack TCP connections, and perform out of sequence reception and retransmission once a Man-in-the-Middle session is established.
At this time we are not aware of this vulnerability being exploited in the wild, however the researcher who discovered the vulnerability has demonstrated a proof-of-concept exploit against an Android smartphone. The Masergy Our Threat Intelligence team will continue to monitor for updates as more information becomes available.
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: Reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: Reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: Reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Any device supporting WPA1 or WPA2 is likely vulnerable to at least one of the attacks.
The main attack is against the 4-way handshake of the WPA2 protocol. This handshake is performed when a client joins a protected Wi-Fi network and is used during the authentication process. During the 4-way handshake, an encryption key is negotiated that is used to encrypt all subsequent traffic. In a key reinstallation attack, the attacker tricks the victim into reinstalling an already in- use key by manipulating and replaying the cryptographic handshake message. Once the victim installs the manipulated key, the attacker can then replay, decrypt, and forge packets in the conversation.
For more details please reference Vanhoef and Piessens’ paper.
We recommend the following actions be taken:
- Install security updates for your access points and clients as soon as they are available. The US-CERT is maintaining a database of vendor advisories.
- Disable client functionality (used in repeater modes).
- Disable 802.11r (fast roaming).