CIS Logo
tagline: Confidence in the Connected World

A Weakness in the WPA2 Wireless Protocol Could Allow for Information Disclosure

MS-ISAC ADVISORY NUMBER:

2017-098

DATE(S) ISSUED:

10/16/2017

OVERVIEW:

A weakness was identified in the WPA2 wireless protocol handshake. Wi-Fi Protected Access 2 (WPA2) is the current standard protocol used to secure communications between wireless access points (WAPs) and client devices. Successful exploitation of this weakness, depending on the network environment, could allow for an attacker to decrypt Wi-Fi traffic, perform content injection, or hijack TCP connections to obtain sensitive information such as financial data, passwords, and emails. This information can allow for an attacker to perform additional attacks on a network, as well as compromise the sensitive information of affected users.

THREAT INTELLIGENCE:

There are no reports of this weakness being exploited in the wild. However, there is proof of concept code available, as well as a research paper detailing the specifics of this weakness. The whitepaper written by the researchers who discovered this protocol weakness is available at the following website: https://www.krackattacks.com/

SYSTEMS AFFECTED:

  • This protocol weakness affects the implementation of the WPA2 protocol itself, and therefore affects any Wi-Fi enabled devices using WPA2 encryption to communicate with a WAP. This weakness does not affect devices using other wireless encryption protocols or communicating with WAPs without any encryption protocols. Some vendors have released patches for the implementation of the WPA2 protocol. For a list of these vendors please see the CERT advisory page: https://www.kb.cert.org/vuls/id/228519

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

The WPA2 protocol has a weakness that allows an attacker in a man-in-the-middle (MITM) position to perform a Key Reinstallation Attack (KRACK). The attacker exploits this weakness by replaying specially crafted packets from the 4-way handshake used to authenticate clients to WPA2 protected networks. This weakness extends to messages in other components such as the WPA2 Four-way, Group Key, Fast Basic Service Set (BSS) Transition, PeerKey, Tunneled Direct-Link Setup (TDLS) PeerKey (TPK), or Wireless Network Management (WNM) Sleep Mode handshakes, where an attacker can manipulate these handshakes to compromise their cryptographic security. These manipulations allow for the reset of nonces and replay counters to promote the reuse of encryption keys. Reused encryption keys are susceptible to decryption leading to further attacks.

The following CVEs cover different instantiations of the WPA2 protocol weakness:

  • A protocol weakness allows for the reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake. (CVE-2017-13077).
  • A protocol weakness allows for the reinstallation of the group key (GTK) in the 4-way handshake (CVE-2017-13078).
  • A protocol weakness allows for the reinstallation of the integrity group key (IGTK) in the 4-way handshake (CVE-2017-13079).
  • A protocol weakness allows for the reinstallation of the group key (GTK) in the group key handshake (CVE-2017-13080).
  • A protocol weakness allows for the reinstallation of the integrity group key (IGTK) in the group key handshake (CVE-2017-13081).
  • A protocol weakness allows for the acceptance of a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it (CVE-2017-13082).
  • A protocol weakness allows for the reinstallation of the STK key in the PeerKey handshake (CVE-2017-13084).
  • A protocol weakness allows for the reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake (CVE-2017-13086).
  • A protocol weakness allows for the reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame (CVE-2017-13087).
  • A protocol weakness allows for the reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame (CVE-2017-13088).

Successful exploitation of this weakness, depending on the network environment, could allow for an attacker to decrypt Wi-Fi traffic, perform content injection, or hijack TCP connections to obtain sensitive information such as financial data, passwords, emails, and more. This information can allow for an attacker to perform additional attacks on a network, as well as compromise the sensitive information of affected users.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by affected vendors as soon as possible after appropriate testing.
  • Apply the Principle of Least Privilege to all systems and services to mitigate further attacks with successfully compromised credentials.
  • Employ procedures to detect and remove rogue access points or evil twin devices to mitigate the potential for Man-in-the-Middle (MITM) attacks.
  • Verify all guest wireless networks are segmented from business networks to prevent unpatched guest devices from affecting business assets.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories