Other IDs this deficiency may be known by:
|Date Last Modified
Version Specific Information:
|Cucumber 1.0 i686||fixed in wpa_supplicant-2.6-i686-5 |
|Cucumber 1.0 x86_64||fixed in wpa_supplicant-2.6-x86_64-5 |
|Cucumber 1.1 i686
||fixed in wpa_supplicant-2.6-i686-5 |
|Cucumber 1.1 x86_64
||fixed in wpa_supplicant-2.6-x86_64-5 |
================================== Overview ===================================
An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 through 2.6.
Under certain conditions, the integrity of EAPOL-Key messages is not checked,
leading to a decryption oracle. An attacker within range of the Access Point
and client can abuse the vulnerability to recover sensitive information.
================================ Initial Report ================================
Unauthenticated EAPOL-Key decryption in wpa_supplicant
Published: August 8, 2018
Latest version available from: https://w1.fi/security/2018-1/
A vulnerability was found in how wpa_supplicant processes EAPOL-Key
frames. It is possible for an attacker to modify the frame in a way that
makes wpa_supplicant decrypt the Key Data field without requiring a
valid MIC value in the frame, i.e., without the frame being
authenticated. This has a potential issue in the case where WPA2/RSN
style of EAPOL-Key construction is used with TKIP negotiated as the
pairwise cipher. It should be noted that WPA2 is not supposed to be used
with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
and with that pairwise cipher, this vulnerability is not applicable in
When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
field is encrypted using RC4. This vulnerability allows unauthenticated
EAPOL-Key frames to be processed and due to the RC4 design, this makes
it possible for an attacker to modify the plaintext version of the Key
Data field with bitwise XOR operations without knowing the contents.
This can be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of the keys)
which would prevent the station from accepting received group-addressed
frames. Furthermore, this might be abused by making wpa_supplicant act
as a decryption oracle to try to recover some of the Key Data payload
(GTK/IGTK) to get knowledge of the group encryption keys.
Full recovery of the group encryption keys requires multiple attempts
(128 connection attempts per octet) and each attempt results in
disconnection due to a failure to complete the 4-way handshake. These
failures can result in the AP/network getting disabled temporarily or
even permanently (requiring user action to re-enable) which may make it
impractical to perform the attack to recover the keys before the AP has
already changes the group keys. By default, wpa_supplicant is enforcing
at minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet while
hostapd AP implementation uses 10 minute default for GTK rekeying when
using TKIP. With such timing behavior, practical attack would need large
number of impacted stations to be trying to connect to the same AP to be
able to recover sufficient information from the GTK to be able to
determine the key before it gets changed.
All wpa_supplicant versions.
Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue.
Possible mitigation steps
- Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
can be done also on the AP side.
- Merge the following commits to wpa_supplicant and rebuild:
WPA: Ignore unauthenticated encrypted EAPOL-Key data
This patch is available from https://w1.fi/security/2018-1/
- Update to wpa_supplicant v2.7 or newer, once available
================================= Our Analysis =================================
----- Affected Products -----
All versions of wpa_supplicant, up to and including 2.6, are vulnerable. This
includes wpa_supplicant as originally packaged in Cucumber Linux 1.0 and 1.1.
At the time of this writing (Fri Aug 17 10:40:36 EDT 2018), 2.6 is the latest
version of wpa_supplicant. It is not known for certain if future versions will
be affected; however, it has been hinted that this will be fixed in
wpa_supplicant 2.7 when it is released.
----- Scope and Impact of this Vulnerability -----
Allows for an attacker physically in range of the wireless access point to
decrypt sensitive data (group encryption keys). This in turn allows for
decrypting of wireless packets.
----- Fix for this Vulnerability -----
Until the release of 2.7, this vulnerability can be fixed by applying the patch
================================= Our Solution =================================
We have applied the aforementioned patch and rebuilt.