Mathy Vanhoef, the author of the KRACK attack on wireless networks, disclosed details of 12 vulnerabilities affecting various wireless devices. The identified problems are presented under the code name FragAttacks and cover almost all wireless cards and access points in use - out of 75 devices tested, each was subject to at least one of the proposed attack methods.
The problems are divided into two categories: 3 vulnerabilities are identified directly in the Wi-Fi standards and cover all devices that support the current IEEE 802.11 standards (problems have been traced since 1997). 9 vulnerabilities relate to bugs and flaws in specific wireless stack implementations. The main danger is the second category, since the organization of attacks on the flaws in the standards requires specific settings or the victim to perform certain actions. All vulnerabilities occur regardless of the use of Wi-Fi security protocols, including when using WPA3.
Most of the identified attack methods allow an attacker to perform L2 frame substitution in a secure network, which makes it possible to break into the victim's traffic. DNS response spoofing to direct the user to the attacker's host is mentioned as the most realistic attack scenario. It also provides an example of using vulnerabilities to bypass the address translator on a wireless router and provide direct access to a device on a local network or ignore firewall restrictions. The second part of the vulnerabilities, which is associated with the processing of fragmented frames, makes it possible to extract traffic data on a wireless network and intercept user data transmitted without using encryption.
A researcher has prepared a demo showing how vulnerabilities can be used to intercept a password transmitted when accessing a site via HTTP without encryption. It also shows how to attack a Wi-Fi-controlled smart plug and use it as a springboard to continue attacking non-updated devices on the local network with unpatched vulnerabilities (for example, it was possible to attack an unupdated Windows 7 computer on the internal network through NAT traversal).
To exploit the vulnerabilities, an attacker must be within range of the target wireless device in order to send a specially crafted set of frames to the victim. The problems affect both client devices and wireless cards, as well as access points and Wi-Fi routers. In general, using HTTPS in combination with DNS traffic encryption using DNS over TLS or DNS over HTTPS is sufficient as a workaround. VPNs are also good for protection.
The most dangerous are four vulnerabilities in wireless device implementations that allow trivial methods to achieve substitution of their unencrypted frames:
- Vulnerabilities CVE-2020-26140 and CVE-2020-26143 allow frame spoofing on some access points and wireless cards on Linux, Windows and FreeBSD.
- Vulnerability VE-2020-26145 allows broadcast unencrypted fragments to be treated as full frames on macOS, iOS, and FreeBSD and NetBSD.
- Vulnerability CVE-2020-26144 allows processing of unencrypted reassembled A-MSDU frames with EtherType EAPOL in Huawei Y6, Nexus 5X, FreeBSD and LANCOM AP.
Other vulnerabilities in implementations are mainly related to problems that arise when processing fragmented frames:
- CVE-2020-26139: Allows redirection of EAPOL flagged frames sent from an unauthenticated sender (affects 2/4 of verified APs, NetBSD and FreeBSD based solutions).
- CVE-2020-26146: Allows reassembling of encrypted fragments without checking sequence number order.
- CVE-2020-26147: Allows reassembly of mixed encrypted and non-encrypted fragments.
- CVE-2020-26142: Allows fragmented frames to be treated as full frames (affects OpenBSD and ESP12-F wireless module).
- CVE-2020-26141: Missing TKIP MIC check for fragmented frames.
Problems in specifications:
- CVE-2020-24588 - Attack on aggregated frames (the "is aggregated" flag is not protected and can be replaced by an attacker in A-MSDU frames in WPA, WPA2, WPA3 and WEP). Redirecting a user to a malicious DNS server or NAT traversal is mentioned as an example of an attack.
- CVE-2020-245870 - Key mixing attack (reassembly of fragments encrypted using different keys in WPA, WPA2, WPA3 and WEP is allowed). The attack allows you to determine the data sent by the client, for example, to determine the contents of a Cookie when accessed via HTTP.
- CVE-2020-24586 - Fragment Cache Attack (Standards covering WPA, WPA2, WPA3, and WEP do not require cached fragments to be cleared after a new network connection). Allows you to determine the data sent by the client and perform substitution of your data.
To test the degree of susceptibility of their devices to problems, a special toolkit and a ready-made Live-image for creating a bootable USB drive have been prepared. On Linux, problems appear in the mac80211 wireless mesh, in separate wireless drivers, and in the firmware that is loaded onto the wireless boards. To eliminate the vulnerabilities, a set of patches has been proposed, covering the mac80211 stack and the ath10k / ath11k drivers. For some devices, such as Intel wireless cards, an additional firmware update is required.
Tests of typical devices:
Wireless card tests in Linux and Windows:
Wireless card tests in FreeBSD and NetBSD:
Manufacturers were notified about the problems 9 months ago. Such a long embargo period is due to the coordinated preparation of updates and delays in the preparation of changes to the specifications by ICASI and the Wi-Fi Alliance. Initially, it was planned to reveal information on March 9, but after weighing the risks, it was decided to postpone the publication for another two months in order to give more time to prepare patches, given the non-triviality of the changes being made and the difficulties arising from the COVID-19 pandemic.
It is noteworthy that despite the embargo, Microsoft in the March Windows update eliminated some vulnerabilities ahead of schedule. Disclosure was delayed a week before the originally scheduled date, and Microsoft did not have time or did not want to make changes to a scheduled update ready for publication, which created a threat to users of other systems, as attackers could obtain information about vulnerabilities through reverse engineering of the content of updates.
Source: opennet.ru