Introduction:
The security and Wi-Fi world took some beatings when a vulnerability was found in the WPA2 protocol.
The discovery is done by Mathy Vanhoef, a Wi-Fi security researcher.
He discovered the vulnerability while working on another paper.
The problem exists in the 4-way handshake of WPA2.
Some explanation:
When a Client connects to an Access point there is a 4-way handshake to secure the connection.
The installation of the final key is done in message 3 of the handshake. After the installation of the key, data will be encrypted between client and ap.
In this mechanism is a build in flaw that when message 3 is not received the access point will resend this message. So the client could receive multiple message 3 responses from the AP and the client will always reinstall the key and set the Nonce counter back on 0.
For detailed description visit https://www.krackattacks.com
Class A Vendor reactions:
Aruba networks
Aerohive
Ruckus Wireless
CVE codes:
- CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
- CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
- CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
- CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
- CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
- CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
- CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
- CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
- CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
- CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
PoC Video:
https://www.youtube.com/watch?v=Oh4WURZoR98
Poc Code:
Unavailable at the moment