summaryrefslogtreecommitdiff
path: root/source/n/wpa_supplicant/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
diff options
context:
space:
mode:
Diffstat (limited to 'source/n/wpa_supplicant/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt')
-rw-r--r--source/n/wpa_supplicant/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt226
1 files changed, 226 insertions, 0 deletions
diff --git a/source/n/wpa_supplicant/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt b/source/n/wpa_supplicant/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
new file mode 100644
index 00000000..5ccb5098
--- /dev/null
+++ b/source/n/wpa_supplicant/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt
@@ -0,0 +1,226 @@
+WPA packet number reuse with replayed messages and key reinstallation
+
+Published: October 16, 2017
+Identifiers:
+- CERT case ID: VU#228519
+- CVE-2017-13077
+- CVE-2017-13078
+- CVE-2017-13079
+- CVE-2017-13080
+- CVE-2017-13081
+- CVE-2017-13082
+- CVE-2017-13084 (not applicable)
+- CVE-2017-13086
+- CVE-2017-13087
+- CVE-2017-13088
+Latest version available from: https://w1.fi/security/2017-1/
+
+
+Vulnerability
+
+A vulnerability was found in how a number of implementations can be
+triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
+replaying a specific frame that is used to manage the keys. Such
+reinstallation of the encryption key can result in two different types
+of vulnerabilities: disabling replay protection and significantly
+reducing the security of encryption to the point of allowing frames to
+be decrypted or some parts of the keys to be determined by an attacker
+depending on which cipher is used.
+
+This document focuses on the cases that apply to systems using hostapd
+(AP) or wpa_supplicant (station), but it should be noted that the
+generic vulnerability itself is applicable to other implementations and
+may have different impact in other cases.
+
+This vulnerability can in theory apply to any case where a TK (the
+pairwise/unicast encryption key used with TKIP, CCMP, GCMP), a GTK
+(group/multicast encryption key), or an IGTK (group management frame
+integrity protection key) is configured by the Authentication/Supplicant
+component to the WLAN driver/firmware taking care of the TX/RX path and
+encryption/decryption of frames.
+
+If the same key is configured multiple times, it is likely that the
+transmit and receive packet numbers (PN, IPN, RSC/TSC, etc.) are cleared
+to a smaller value (zero in case of pairwise keys, zero or at least a
+smaller value than the last used value in case of group keys). When this
+happens with the same key, this breaks replay protection on RX side and
+can result in reuse of packet numbers on TX side. The former may allow
+replaying of previously delivered packets (without the attacker being
+able to decrypt them or modify their contents) while the latter may
+result in more severe issues on the TX side due to resulting CCM nonce
+replay and related issues with GCMP and TKIP. The TX side issue may make
+it significantly easier for the attacker to decrypt frames and determine
+some parts of the keys (e.g., a Michael MIC key in case of TKIP).
+
+Impact on AP/hostapd
+
+On the AP side, this generic issue has been determined to be applicable
+in the case where hostapd is used to operate an RSN/WPA2 network with FT
+(Fast BSS Transition from IEEE 802.11r) enabled. Replaying of the
+Reassociation Request frame can be used to get the AP reinstalling the
+TK which results in the AP accepting previously delivered unicast frames
+from the station and the AP reusing previously used packet numbers
+(local TX packet number gets reset to zero). This latter issue on the TX
+side can result in CCM nonce reuse which invalidates CCMP security
+properties. In case of TKIP this can result in the attacker being able
+to determine part of the TK more easily and with GCMP, result in similar
+issues.
+
+It should be noted that the AP side issue with FT would be close to
+applying to FILS authentication (from IEEE 802.11ai) in hostapd with
+replaying of (Re)Association Request frames. However, due to a different
+handling of the repeated association processing with FILS, this would
+actually result in the station getting immediately disconnected which
+prevents this attack in practice. In addition, the FILS implementation
+in the current hostapd version is still experimental and documented as
+being discouraged in production use cases.
+
+Another area of potentially reduced security was identified when looking
+into these issues. When AP/Authenticator implementation in hostapd is
+requested to rekey the PTK without performing EAP reauthentication
+(either through local periodic rekeying or due to a request from an
+association station), the ANonce value does not get updated. This
+results in the new 4-way handshake depending on the station/supplicant
+side generating a new, unique (for the current PMK/PSK) SNonce for the
+PTK derivation to result in a new key. While a properly working
+supplicant would do so, if there is a supplicant implementation that
+does not, this combination could result in deriving the same PTK
+again. When the TK from that PTK gets configured in the driver, this
+would result in reinstalling the same key and the same issues as
+described above for the FT protocol case.
+
+Impact on station/wpa_supplicant
+
+On the station side, this generic issue has been determined to be
+applicable in the cases where wpa_supplicant processes a group key (GTK
+or IGTK) update from the AP. An attacker that is able to limit access
+to frame delivery may be able to extract two update messages and deliver
+those to the station with significant time delay between them. When
+wpa_supplicant processes the second message, it may end up reinstalling
+the same key to the driver and when doing this, clear the RX packet
+number to an old value. This would allow the attacker to replay all
+group-addressed frames that the AP sent between the time the key update
+message was originally sent and the time when the attacker forwarded the
+second frame to the station. The attacker would not be able to decrypt
+or modify the frames based on this vulnerability, though. There is an
+exception to this with older wpa_supplicant versions as noted below in
+version specific notes.
+
+For the current wpa_supplicant version (v2.6), there is also an
+additional EAPOL-Key replay sequence where an additional forged
+EAPOL-Key message can be used to bypass the existing protection for the
+pairwise key reconfiguration in a manner that ends up configuring a
+known TK that an attacker could use to decrypt any frame sent by the
+station and to inject arbitrary unicast frames. Similar issues are
+reachable in older versions as noted below.
+
+PeerKey / TDLS PeerKey
+
+As far as the related CVE-2017-13084 (reinstallation of the STK key in
+the PeerKey handshake) is concerned, it should be noted that PeerKey
+implementation in wpa_supplicant is not fully functional and the actual
+installation of the key into the driver does not work. As such, this
+item is not applicable in practice. Furthermore, the PeerKey handshake
+for IEEE 802.11e DLS is obsolete and not known to have been deployed.
+
+As far as the TDLS PeerKey handshake is concerned (CVE-2017-13086),
+wpa_supplicant implementation is already rejecting TPK M2 retries, so
+the reconfiguration issue cannot apply for it. For TPK M3, there is a
+theoretical impact. However, if that frame is replayed, the current
+wpa_supplicant implementation ends up tearing down the TDLS link
+immediately and as such, there is no real window for performing the
+attack. Furthermore, TPK M3 goes through the AP path and if RSN is used
+there, that frame has replay protection, so the attacker could not
+perform the attack. If the AP path were to use WEP, the frame could be
+replayed, though. That said, if WEP is used on the AP path, it would be
+fair to assume that there is no security in the network, so a new attack
+vector would be of small additional value.
+
+With older wpa_supplicant versions, it may be possible for an attacker
+to cause TPK M2 to be retransmitted with delay that would be able to
+trigger reinstallation of TK on the peer receiving TPK M2
+(CVE-2017-13086). This may open a short window for the attack with v2.3,
+v2.4, and v2.5; and a longer window with older versions.
+
+Vulnerable versions/configurations
+
+For the AP/Authenticator TK (unicast) reinstallation in FT protocol
+(CVE-2017-13082):
+
+hostapd v0.7.2 and newer with FT enabled (i.e., practically all versions
+that include full FT implementation). FT needs to be enabled in the
+runtime configuration to make this applicable.
+
+For the AP/Authenticator missing ANonce during PTK rekeying:
+
+All hostapd versions.
+
+For the station/Supplicant side GTK/IGTK reinstallation and TK
+configuration:
+
+All wpa_supplicant versions. The impact on older versions can be more
+severe due to earlier changes in this area: v2.3 and older can also
+reinstall the pairwise key and as such have similar impact as the AP FT
+case (CVE-2017-13077); v2.4 and v2.5 end up configuring an all-zero TK
+which breaks the normal data path, but could allow an attacker to
+decrypt all following frames from the station and to inject arbitrary
+frames to the station. In addition, a different message sequence
+involving 4-way handshake can result in configuration of an all-zero TK
+in v2.6 and the current snapshot of the development repository as of the
+publication of this advisory.
+
+
+Acknowledgments
+
+Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
+Leuven for discovering and reporting this issue. Thanks to John A. Van
+Boxtel for finding additional issues related to this topic.
+
+
+Possible mitigation steps
+
+- For AP/hostapd and FT replay issue (CVE-2017-13082), it is possible to
+ prevent the issue temporarily by disabling FT in runtime
+ configuration, if needed before being able to update the
+ implementations.
+
+- Merge the following commits to hostapd/wpa_supplicant and rebuild them:
+
+ hostapd and replayed FT reassociation request frame (CVE-2017-13082):
+ hostapd: Avoid key reinstallation in FT handshake
+
+ hostapd PTK rekeying and ANonce update:
+ Fix PTK rekeying to generate a new ANonce
+
+ wpa_supplicant and GTK/IGTK rekeying (CVE-2017-13078, CVE-2017-13079,
+ CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088):
+ Prevent reinstallation of an already in-use group key
+ Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases
+
+ wpa_supplicant (v2.6 or newer snapshot) and known TK issue:
+ Prevent installation of an all-zero TK
+
+ Additional protection steps for wpa_supplicant:
+ TDLS: Reject TPK-TK reconfiguration
+ WNM: Ignore WNM-Sleep Mode Response without pending request
+ FT: Do not allow multiple Reassociation Response frames
+
+ These patches are available from https://w1.fi/security/2017-1/
+ (both against the snapshot of hostap.git master branch and rebased on
+ top of the v2.6 release)
+
+ For the TDLS TPK M2 retransmission issue (CVE-2017-13086) with older
+ wpa_supplicant versions, consider updating to the latest version or
+ merge in a commit that is present in v2.6:
+ https://w1.fi/cgit/hostap/commit/?id=dabdef9e048b17b22b1c025ad592922eab30dda8
+ ('TDLS: Ignore incoming TDLS Setup Response retries')
+
+- Update to hostapd/wpa_supplicant v2.7 or newer, once available
+ * it should be noted that there are number of additional changes in
+ the related areas of the implementation to provide extra layer of
+ protection for potential unknown issues; these changes are not
+ included in this advisory as they have not been identified to be
+ critical for preventing any of the identified security
+ vulnerabilities; however, users of hostapd/wpa_supplicant are
+ encouraged to consider merging such changes even if not fully
+ moving to v2.7