Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20171016090849.GB9257@w1.fi>
Date: Mon, 16 Oct 2017 12:08:49 +0300
From: Jouni Malinen <j@...fi>
To: oss-security@...ts.openwall.com
Subject: wpa_supplicant/hostapd: WPA packet number reuse with replayed
 messages and key reinstallation

Published: October 16, 2017
Identifiers:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13084 (not applicable)
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088
Latest version available from: https://w1.fi/security/2017-1/


Vulnerability

A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys. Such
reinstallation of the encryption key can result in two different types
of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.

This document focuses on the cases that apply to systems using hostapd
(AP) or wpa_supplicant (station), but it should be noted that the
generic vulnerability itself is applicable to other implementations and
may have different impact in other cases.

This vulnerability can in theory apply to any case where a TK (the
pairwise/unicast encryption key used with TKIP, CCMP, GCMP), a GTK
(group/multicast encryption key), or an IGTK (group management frame
integrity protection key) is configured by the Authentication/Supplicant
component to the WLAN driver/firmware taking care of the TX/RX path and
encryption/decryption of frames.

If the same key is configured multiple times, it is likely that the
transmit and receive packet numbers (PN, IPN, RSC/TSC, etc.) are cleared
to a smaller value (zero in case of pairwise keys, zero or at least a
smaller value than the last used value in case of group keys). When this
happens with the same key, this breaks replay protection on RX side and
can result in reuse of packet numbers on TX side. The former may allow
replaying of previously delivered packets (without the attacker being
able to decrypt them or modify their contents) while the latter may
result in more severe issues on the TX side due to resulting CCM nonce
replay and related issues with GCMP and TKIP. The TX side issue may make
it significantly easier for the attacker to decrypt frames and determine
some parts of the keys (e.g., a Michael MIC key in case of TKIP).

Impact on AP/hostapd

On the AP side, this generic issue has been determined to be applicable
in the case where hostapd is used to operate an RSN/WPA2 network with FT
(Fast BSS Transition from IEEE 802.11r) enabled. Replaying of the
Reassociation Request frame can be used to get the AP reinstalling the
TK which results in the AP accepting previously delivered unicast frames
from the station and the AP reusing previously used packet numbers
(local TX packet number gets reset to zero). This latter issue on the TX
side can result in CCM nonce reuse which invalidates CCMP security
properties. In case of TKIP this can result in the attacker being able
to determine part of the TK more easily and with GCMP, result in similar
issues.

It should be noted that the AP side issue with FT would be close to
applying to FILS authentication (from IEEE 802.11ai) in hostapd with
replaying of (Re)Association Request frames. However, due to a different
handling of the repeated association processing with FILS, this would
actually result in the station getting immediately disconnected which
prevents this attack in practice. In addition, the FILS implementation
in the current hostapd version is still experimental and documented as
being discouraged in production use cases.

Another area of potentially reduced security was identified when looking
into these issues. When AP/Authenticator implementation in hostapd is
requested to rekey the PTK without performing EAP reauthentication
(either through local periodic rekeying or due to a request from an
association station), the ANonce value does not get updated. This
results in the new 4-way handshake depending on the station/supplicant
side generating a new, unique (for the current PMK/PSK) SNonce for the
PTK derivation to result in a new key. While a properly working
supplicant would do so, if there is a supplicant implementation that
does not, this combination could result in deriving the same PTK
again. When the TK from that PTK gets configured in the driver, this
would result in reinstalling the same key and the same issues as
described above for the FT protocol case.

Impact on station/wpa_supplicant

On the station side, this generic issue has been determined to be
applicable in the cases where wpa_supplicant processes a group key (GTK
or IGTK) update from the AP. An attacker that is able to limit access
to frame delivery may be able to extract two update messages and deliver
those to the station with significant time delay between them. When
wpa_supplicant processes the second message, it may end up reinstalling
the same key to the driver and when doing this, clear the RX packet
number to an old value. This would allow the attacker to replay all
group-addressed frames that the AP sent between the time the key update
message was originally sent and the time when the attacker forwarded the
second frame to the station. The attacker would not be able to decrypt
or modify the frames based on this vulnerability, though. There is an
exception to this with older wpa_supplicant versions as noted below in
version specific notes.

For the current wpa_supplicant version (v2.6), there is also an
additional EAPOL-Key replay sequence where an additional forged
EAPOL-Key message can be used to bypass the existing protection for the
pairwise key reconfiguration in a manner that ends up configuring a
known TK that an attacker could use to decrypt any frame sent by the
station and to inject arbitrary unicast frames. Similar issues are
reachable in older versions as noted below.

PeerKey / TDLS PeerKey

As far as the related CVE-2017-13084 (reinstallation of the STK key in
the PeerKey handshake) is concerned, it should be noted that PeerKey
implementation in wpa_supplicant is not fully functional and the actual
installation of the key into the driver does not work. As such, this
item is not applicable in practice. Furthermore, the PeerKey handshake
for IEEE 802.11e DLS is obsolete and not known to have been deployed.

As far as the TDLS PeerKey handshake is concerned (CVE-2017-13086),
wpa_supplicant implementation is already rejecting TPK M2 retries, so
the reconfiguration issue cannot apply for it. For TPK M3, there is a
theoretical impact. However, if that frame is replayed, the current
wpa_supplicant implementation ends up tearing down the TDLS link
immediately and as such, there is no real window for performing the
attack. Furthermore, TPK M3 goes through the AP path and if RSN is used
there, that frame has replay protection, so the attacker could not
perform the attack. If the AP path were to use WEP, the frame could be
replayed, though. That said, if WEP is used on the AP path, it would be
fair to assume that there is no security in the network, so a new attack
vector would be of small additional value.

With older wpa_supplicant versions, it may be possible for an attacker
to cause TPK M2 to be retransmitted with delay that would be able to
trigger reinstallation of TK on the peer receiving TPK M2
(CVE-2017-13086). This may open a short window for the attack with v2.3,
v2.4, and v2.5; and a longer window with older versions.

Vulnerable versions/configurations

For the AP/Authenticator TK (unicast) reinstallation in FT protocol
(CVE-2017-13082):

hostapd v0.7.2 and newer with FT enabled (i.e., practically all versions
that include full FT implementation). FT needs to be enabled in the
runtime configuration to make this applicable.

For the AP/Authenticator missing ANonce during PTK rekeying:

All hostapd versions.

For the station/Supplicant side GTK/IGTK reinstallation and TK
configuration:

All wpa_supplicant versions. The impact on older versions can be more
severe due to earlier changes in this area: v2.3 and older can also
reinstall the pairwise key and as such have similar impact as the AP FT
case (CVE-2017-13077); v2.4 and v2.5 end up configuring an all-zero TK
which breaks the normal data path, but could allow an attacker to
decrypt all following frames from the station and to inject arbitrary
frames to the station. In addition, a different message sequence
involving 4-way handshake can result in configuration of an all-zero TK
in v2.6 and the current snapshot of the development repository as of the
publication of this advisory.


Acknowledgments

Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue. Thanks to John A. Van
Boxtel for finding additional issues related to this topic.


Possible mitigation steps

- For AP/hostapd and FT replay issue (CVE-2017-13082), it is possible to
  prevent the issue temporarily by disabling FT in runtime
  configuration, if needed before being able to update the
  implementations.

- Merge the following commits to hostapd/wpa_supplicant and rebuild them:

  hostapd and replayed FT reassociation request frame (CVE-2017-13082):
  hostapd: Avoid key reinstallation in FT handshake

  hostapd PTK rekeying and ANonce update:
  Fix PTK rekeying to generate a new ANonce

  wpa_supplicant and GTK/IGTK rekeying (CVE-2017-13078, CVE-2017-13079,
  CVE-2017-13080, CVE-2017-13081, CVE-2017-13087, CVE-2017-13088):
  Prevent reinstallation of an already in-use group key
  Extend protection of GTK/IGTK reinstallation of WNM-Sleep Mode cases

  wpa_supplicant (v2.6 or newer snapshot) and known TK issue:
  Prevent installation of an all-zero TK

  Additional protection steps for wpa_supplicant:
  TDLS: Reject TPK-TK reconfiguration
  WNM: Ignore WNM-Sleep Mode Response without pending request
  FT: Do not allow multiple Reassociation Response frames

  These patches are available from https://w1.fi/security/2017-1/
  (both against the snapshot of hostap.git master branch and rebased on
  top of the v2.6 release)

  For the TDLS TPK M2 retransmission issue (CVE-2017-13086) with older
  wpa_supplicant versions, consider updating to the latest version or
  merge in a commit that is present in v2.6:
  https://w1.fi/cgit/hostap/commit/?id=dabdef9e048b17b22b1c025ad592922eab30dda8
  ('TDLS: Ignore incoming TDLS Setup Response retries')

- Update to hostapd/wpa_supplicant v2.7 or newer, once available
  * it should be noted that there are number of additional changes in
    the related areas of the implementation to provide extra layer of
    protection for potential unknown issues; these changes are not
    included in this advisory as they have not been identified to be
    critical for preventing any of the identified security
    vulnerabilities; however, users of hostapd/wpa_supplicant are
    encouraged to consider merging such changes even if not fully
    moving to v2.7

-- 
Jouni Malinen                                            PGP id EFC895FA

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.