openwrt/package/network/services
John Crispin b3983323a1 wpa_supplicant: fix CVE-2018-14526
Unauthenticated EAPOL-Key decryption in wpa_supplicant

Published: August 8, 2018
Identifiers:
- CVE-2018-14526
Latest version available from: https://w1.fi/security/2018-1/

Vulnerability

A vulnerability was found in how wpa_supplicant processes EAPOL-Key
frames. It is possible for an attacker to modify the frame in a way that
makes wpa_supplicant decrypt the Key Data field without requiring a
valid MIC value in the frame, i.e., without the frame being
authenticated. This has a potential issue in the case where WPA2/RSN
style of EAPOL-Key construction is used with TKIP negotiated as the
pairwise cipher. It should be noted that WPA2 is not supposed to be used
with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
and with that pairwise cipher, this vulnerability is not applicable in
practice.

When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
field is encrypted using RC4. This vulnerability allows unauthenticated
EAPOL-Key frames to be processed and due to the RC4 design, this makes
it possible for an attacker to modify the plaintext version of the Key
Data field with bitwise XOR operations without knowing the contents.
This can be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of the keys)
which would prevent the station from accepting received group-addressed
frames. Furthermore, this might be abused by making wpa_supplicant act
as a decryption oracle to try to recover some of the Key Data payload
(GTK/IGTK) to get knowledge of the group encryption keys.

Full recovery of the group encryption keys requires multiple attempts
(128 connection attempts per octet) and each attempt results in
disconnection due to a failure to complete the 4-way handshake. These
failures can result in the AP/network getting disabled temporarily or
even permanently (requiring user action to re-enable) which may make it
impractical to perform the attack to recover the keys before the AP has
already changes the group keys. By default, wpa_supplicant is enforcing
at minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet while
hostapd AP implementation uses 10 minute default for GTK rekeying when
using TKIP. With such timing behavior, practical attack would need large
number of impacted stations to be trying to connect to the same AP to be
able to recover sufficient information from the GTK to be able to
determine the key before it gets changed.

Vulnerable versions/configurations

All wpa_supplicant versions.

Acknowledgments

Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue.

Possible mitigation steps

- Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
can be done also on the AP side.

- Merge the following commits to wpa_supplicant and rebuild:

WPA: Ignore unauthenticated encrypted EAPOL-Key data

This patch is available from https://w1.fi/security/2018-1/

- Update to wpa_supplicant v2.7 or newer, once available

Signed-off-by: John Crispin <john@phrozen.org>
2018-08-10 22:19:06 +02:00
..
authsae treewide: clean up and unify PKG_VERSION for git based downloads 2016-12-22 16:42:21 +01:00
dnsmasq dnsmasq: backport validation fix in dnssec security fix 2018-01-20 14:25:52 +01:00
dropbear dropbear: fix PKG_CONFIG_DEPENDS 2017-12-13 16:38:28 +01:00
ead network/services/ead: drop Build/Prepare rule in favor of default one 2016-10-15 11:36:52 +02:00
hostapd wpa_supplicant: fix CVE-2018-14526 2018-08-10 22:19:06 +02:00
igmpproxy igmpproxy: remove firewall rules when service is stopped 2017-12-13 16:49:13 +01:00
ipset-dns treewide: clean up and unify PKG_VERSION for git based downloads 2016-12-22 16:42:21 +01:00
lldpd lldpd: bump to 0.9.7 2017-12-13 15:35:53 +01:00
odhcpd odhcpd: fix managed address configuration setting 2018-05-27 22:09:46 +02:00
omcproxy omcproxy: Update to latest HEAD 2017-12-13 14:36:45 +01:00
openvpn mbedtls: change libmbedcrypto.so soversion back to 0 2018-04-14 14:44:43 +02:00
openvpn-easy-rsa treewide: clean up and unify PKG_VERSION for git based downloads 2016-12-22 16:42:21 +01:00
ppp ppp: make the patches apply correctly again 2017-12-13 16:40:21 +01:00
relayd relayd: fix making incomplete instance json data 2017-02-26 14:38:25 +08:00
samba36 samba36: Remove syslog and load printers lines. 2017-12-13 16:29:22 +01:00
uhttpd uhttpd: fix query string handling 2017-12-13 16:46:36 +01:00
umdns umdns: remove superfluous include in init script 2017-06-02 01:29:51 +02:00
wireguard wireguard: bump to 20180519 2018-05-25 09:30:44 +08:00