WPA2 4-way handshake client vulnerability

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

WPA2 4-way handshake client vulnerability

Samba - linux mailing list
https://www.krackattacks.com/

"In a key reinstallation attack, the adversary tricks a victim into
reinstalling an already-in-use key. This is achieved by manipulating and
replaying cryptographic handshake messages. When the victim reinstalls
the key, associated parameters such as the incremental transmit packet
number (i.e. nonce) and receive packet number (i.e. replay counter) are
reset to their initial value. Essentially, to guarantee security, a key
should only be installed and used once. Unfortunately, we found this is
not guaranteed by the WPA2 protocol. By manipulating cryptographic
handshakes, we can abuse this weakness in practice....

Linux's wpa_supplicant v2.6 is also vulnerable to the installation of an
all-zero encryption key in the 4-way handshake. This was discovered by
John A. Van Boxtel. As a result, all Android versions higher than 6.0
are also affected by the attack, and hence can be tricked into
installing an all-zero encryption key. The new attack works by injecting
a forged message 1, with the same ANonce as used in the original message
1, before forwarding the retransmitted message 3 to the victim."

--
linux mailing list
[hidden email]
https://lists.samba.org/mailman/listinfo/linux
Reply | Threaded
Open this post in threaded view
|

Re: WPA2 4-way handshake client vulnerability

Samba - linux mailing list
[update at end]

> On 17 Oct 2017, at 06:51, Chris Smart via linux <[hidden email]> wrote:
>
> https://www.krackattacks.com/
>
> "In a key reinstallation attack, the adversary tricks a victim into
> reinstalling an already-in-use key. This is achieved by manipulating and
> replaying cryptographic handshake messages. When the victim reinstalls
> the key, associated parameters such as the incremental transmit packet
> number (i.e. nonce) and receive packet number (i.e. replay counter) are
> reset to their initial value. Essentially, to guarantee security, a key
> should only be installed and used once. Unfortunately, we found this is
> not guaranteed by the WPA2 protocol. By manipulating cryptographic
> handshakes, we can abuse this weakness in practice....
>
> Linux's wpa_supplicant v2.6 is also vulnerable to the installation of an
> all-zero encryption key in the 4-way handshake. This was discovered by
> John A. Van Boxtel. As a result, all Android versions higher than 6.0
> are also affected by the attack, and hence can be tricked into
> installing an all-zero encryption key. The new attack works by injecting
> a forged message 1, with the same ANonce as used in the original message
> 1, before forwarding the retransmitted message 3 to the victim."
>
> —


Thanks to Chris for raising this on the list.

For those playing at home, Debian & Ubuntu released security patches a few days ago. I’d expect Fedora &RedHat would’ve done the same.
Looking at what I presume is the ‘upstream’ code, there might be another round of minor changes to come after some more testing.

My ZTE Android device hasn’t seen a ‘Play Store’ update, but maybe on Nov 6th - but would Google push kernel updates like this?
<https://www.androidcentral.com/krack>

Hadn’t checked before today, but iiNet has a firmware update dated 'Oct 18’ & another ‘Oct 19’.
But the date on file downloaded is Aug 2015 and the the release/version numbers are the same [HG658 V100 R001 C138 B020]
No email from iiNet about this yet though.
<http://ftp.iinet.net.au/pub/iinet/firmware/HomeGateway/HuaweiHG658/>

If anyone has good information on how Android kernel updates are going to be rolled out, I’m very interested.

regards
steve

====================

This Seems to be the ‘upstream’ for wpa_suplicant source code
<http://w1.fi/gitweb/gitweb.cgi?p=hostap.git;a=summary>

Ubuntu Security Notice USN-3455-1
<https://usn.ubuntu.com/usn/usn-3455-1/>
> Several security issues were fixed in wpa_supplicant.

DSA-3999-1 wpa -- security update
<https://www.debian.org/security/2017/dsa-3999>

Jessie
<https://packages.debian.org/source/jessie/wpa>
<https://packages.debian.org/jessie/wpasupplicant>
<https://packages.debian.org/jessie/hostapd>

Source code - can’t find the changelog :(
<https://anonscm.debian.org/viewvc/pkg-wpa/wpa/trunk/>

<https://anonscm.debian.org/viewvc/pkg-wpa/wpa/trunk/debian/changelog?view=log>
Revision 1976 - (view) (download) (annotate) - [select for diffs]
Modified Wed May 25 03:07:15 2016 UTC (16 months, 3 weeks ago) by slh-guest

From downloaded tarballs:
wpa_2.3-1+deb8u5.debian.tar.xz

ls -l debian/changelog
-rw-r--r--  1 steve  staff  107252 14 Oct 23:11 debian/changelog

> wpa (2.3-1+deb8u5) jessie-security; urgency=high
>
>  * Non-maintainer upload by the Security Team.
>  * Add patches to fix WPA protocol vulnerabilities (CVE-2017-13077,
>    CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081,
>    CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088):
>    - hostapd: Avoid key reinstallation in FT handshake
>    - Prevent reinstallation of an already in-use group key
>    - Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases
>    - Fix PTK rekeying to generate a new ANonce
>    - TDLS: Reject TPK-TK reconfiguration
>    - WNM: Ignore WNM-Sleep Mode Response if WNM-Sleep Mode has not been used
>    - WNM: Ignore WNM-Sleep Mode Response without pending request
>    - FT: Do not allow multiple Reassociation Response frames
>    - TDLS: Ignore incoming TDLS Setup Response retries
>
> -- Yves-Alexis Perez <[hidden email]>  Sat, 14 Oct 2017 14:11:26 +0200


--
Steve Jenkin, IT Systems and Design
0412 786 915 (+61 412 786 915)
PO Box 38, Kippax ACT 2615, AUSTRALIA

mailto:[hidden email] http://members.tip.net.au/~sjenkin


--
linux mailing list
[hidden email]
https://lists.samba.org/mailman/listinfo/linux
Reply | Threaded
Open this post in threaded view
|

Fwd: WPA2 4-way handshake client vulnerability

Samba - linux mailing list
On 19 October 2017 at 12:49, steve jenkin via linux <[hidden email]>
wrote:

> [update at end]
>
> > On 17 Oct 2017, at 06:51, Chris Smart via linux <[hidden email]>
> wrote:
> >
> > https://www.krackattacks.com/
> >
>
> <SNIP>

>
> If anyone has good information on how Android kernel updates are going to
> be rolled out, I’m very interested.
>
>
> I suspect it'll be the usual - AOSP willl be updated with patches for the
kernel and wpa_supplicant  (wpa_supplicant seems to be where the real
trouble is, particularly for Linux and Android), and vendors will issue
patches for their hardware. ie, nothing much will happen unless you have a
recent flagship.


Simon
--
linux mailing list
[hidden email]
https://lists.samba.org/mailman/listinfo/linux
Reply | Threaded
Open this post in threaded view
|

Re: WPA2 4-way handshake client vulnerability

Samba - linux mailing list
In reply to this post by Samba - linux mailing list
Thanks, Steve:

> Hadn’t checked before today, but iiNet has a firmware update dated 'Oct 18’ & another ‘Oct 19’.
> But the date on file downloaded is Aug 2015 and the the release/version numbers are the same [HG658 V100 R001 C138 B020]

I just updated firmware for my BudiiLite ADSL router.
BudiiLite_nand_fs_image_128_1300.bin
That's dated this morning.
http://ftp.iinet.net.au/pub/iinet/firmware/BudiiLite/

In iiNet's Budii Lite login page--Firefox reports this about the modem
password field. "This connection is not secure. Logins entered here
could be compromised."
--
members.iinet.net.au/~kilgallin/

--
linux mailing list
[hidden email]
https://lists.samba.org/mailman/listinfo/linux
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: WPA2 4-way handshake client vulnerability

Samba - linux mailing list
In reply to this post by Samba - linux mailing list
Simon Oxwell via linux <[hidden email]> writes:

> On 19 October 2017 at 12:49, steve jenkin via linux <[hidden email]>
> wrote:
>> [update at end]
>>
>> > On 17 Oct 2017, at 06:51, Chris Smart via linux <[hidden email]>
>> wrote:
>> >
>> > https://www.krackattacks.com/
>>
>> <SNIP>
>
>> If anyone has good information on how Android kernel updates are going to
>> be rolled out, I’m very interested.

> I suspect it'll be the usual - AOSP willl be updated with patches for the
> kernel and wpa_supplicant  (wpa_supplicant seems to be where the real
> trouble is, particularly for Linux and Android)

As far as I've seen there is no fix for the kernel, it's all in
wpa_supplicant.

cheers

--
linux mailing list
[hidden email]
https://lists.samba.org/mailman/listinfo/linux
Reply | Threaded
Open this post in threaded view
|

Re: WPA2 4-way handshake client vulnerability

Samba - linux mailing list
In reply to this post by Samba - linux mailing list
On Thu, 2017-10-19 at 18:55 +1100, Bryan Kilgallin via linux wrote:

> Thanks, Steve:
>
> > Hadn’t checked before today, but iiNet has a firmware update dated
> > 'Oct 18’ & another ‘Oct 19’.
> > But the date on file downloaded is Aug 2015 and the the
> > release/version numbers are the same [HG658 V100 R001 C138 B020]
>
> I just updated firmware for my BudiiLite ADSL router.
> BudiiLite_nand_fs_image_128_1300.bin
> That's dated this morning.
> http://ftp.iinet.net.au/pub/iinet/firmware/BudiiLite/
>
> In iiNet's Budii Lite login page--Firefox reports this about the
> modem
> password field. "This connection is not secure. Logins entered here
> could be compromised."

I've got a simmilar router, and I belive this is because the connection
is over HTTP.  Firefox now shows that message for any login forms on a
non-HTTPS site.
It is actually a bit of a problem - there is no real good solution for
bringing HTTPS to devices that don't have public IP addresses.
> --
> members.iinet.net.au/~kilgallin/
>
--
Thanks,
Sam

Check out this narrative tech podcast: https://www.sam.today/podcast/

https://www.sam.today/
--
linux mailing list
[hidden email]
https://lists.samba.org/mailman/listinfo/linux
Reply | Threaded
Open this post in threaded view
|

Re: WPA2 4-way handshake client vulnerability

Samba - linux mailing list
On Mon, Oct 23, 2017 at 8:55 AM, Sam Parkinson via linux
<[hidden email]> wrote:
...
>
> I've got a simmilar router, and I belive this is because the connection
> is over HTTP.  Firefox now shows that message for any login forms on a
> non-HTTPS site.
> It is actually a bit of a problem - there is no real good solution for
> bringing HTTPS to devices that don't have public IP addresses.

It's called IPv6 :-)

Doesn't help with iiNet though, as they still don't offer IPv6 to home
customers.

--

        cheers,
        Hugh Fisher

--
linux mailing list
[hidden email]
https://lists.samba.org/mailman/listinfo/linux
Reply | Threaded
Open this post in threaded view
|

Re: WPA2 4-way handshake client vulnerability

Samba - linux mailing list
In reply to this post by Samba - linux mailing list
On Thu, Oct 19, 2017 at 12:49:27PM +1100, linux wrote:
> ...
>
> Source code - can???t find the changelog :(
> <https://anonscm.debian.org/viewvc/pkg-wpa/wpa/trunk/>
>
git clone git://w1.fi/hostap.git
cd hostap
git log

Cheers ... Duncan.

--
linux mailing list
[hidden email]
https://lists.samba.org/mailman/listinfo/linux