Mathy Vanhoef, the author of the KRACK attack on wireless networks, disclosed details of 12 vulnerabilities affecting various wireless devices. The identified problems are presented under the code name FragAttacks and cover almost all wireless cards and access points in use - out of 75 devices tested, each was subject to at least one of the proposed attack methods.
The problems are divided into two categories: 3 vulnerabilities are identified directly in the Wi-Fi standards and cover all devices that support the current IEEE 802.11 standards (problems have been traced since 1997). 9 vulnerabilities relate to bugs and flaws in specific wireless stack implementations. The main danger is the second category, since the organization of attacks on the flaws in the standards requires specific settings or the victim to perform certain actions. All vulnerabilities occur regardless of the use of Wi-Fi security protocols, including when using WPA3.
Most of the identified attack methods allow an attacker to perform L2 frame substitution in a secure network, which makes it possible to break into the victim's traffic. DNS response spoofing to direct the user to the attacker's host is mentioned as the most realistic attack scenario. It also provides an example of using vulnerabilities to bypass the address translator on a wireless router and provide direct access to a device on a local network or ignore firewall restrictions. The second part of the vulnerabilities, which is associated with the processing of fragmented frames, makes it possible to extract traffic data on a wireless network and intercept user data transmitted without using encryption.
The researcher has prepared a demonstration showing how vulnerabilities can be used to intercept a password transmitted when accessing a site using the HTTP protocol without encryption. It also shows how to attack a smart plug controlled via Wi-Fi and use it as a springboard to continue the attack on unpatched devices on the local network that have unpatched vulnerabilities (for example, it was possible to attack an unpatched computer with NAT bypass). Windows 7 in the internal network).
To exploit these vulnerabilities, an attacker must be within range of the target wireless device to send a specially crafted set of frames to the victim. The issues affect client devices and wireless cards, as well as access points and Wi-Fi routers. Generally, using HTTPS in combination with DNS traffic encryption using DNS over TLS or DNS over HTTPS is sufficient as a workaround. Using VPN.
The most dangerous are four vulnerabilities in wireless device implementations that allow trivial methods to achieve substitution of their unencrypted frames:
- Vulnerabilities CVE-2020-26140 and CVE-2020-26143 allow frame substitution on some access points and wireless cards in Linux, Windows and FreeBSD.
- The VE-2020-26145 vulnerability allows broadcast unencrypted fragments to be processed as full frames in macOS, iOS and FreeBSD and NetBSD.
- Vulnerability CVE-2020-26144 allows processing of unencrypted reassembled A-MSDU frames with EtherType EAPOL in Huawei Y6, Nexus 5X, FreeBSD and LANCOM AP.
Other vulnerabilities in implementations are mainly related to problems that arise when processing fragmented frames:
- CVE-2020-26139: Allows redirection of EAPOL flagged frames sent from an unauthenticated sender (affects 2/4 of verified APs, NetBSD and FreeBSD based solutions).
- CVE-2020-26146: Allows reassembling of encrypted fragments without checking sequence number order.
- CVE-2020-26147: Allows reassembly of mixed encrypted and non-encrypted fragments.
- CVE-2020-26142: Allows fragmented frames to be treated as full frames (affects OpenBSD and ESP12-F wireless module).
- CVE-2020-26141: Missing TKIP MIC check for fragmented frames.
Problems in specifications:
- CVE-2020-24588 - Attack on aggregated frames (the "is aggregated" flag is not protected and can be replaced by an attacker in A-MSDU frames in WPA, WPA2, WPA3 and WEP). Redirecting a user to a malicious DNS server or NAT traversal is mentioned as an example of an attack.
- CVE-2020-245870 - Key mixing attack (reassembly of fragments encrypted using different keys in WPA, WPA2, WPA3 and WEP is allowed). The attack allows you to determine the data sent by the client, for example, to determine the contents of a Cookie when accessed via HTTP.
- CVE-2020-24586 - Fragment Cache Attack (Standards covering WPA, WPA2, WPA3, and WEP do not require cached fragments to be cleared after a new network connection). Allows you to determine the data sent by the client and perform substitution of your data.
To test the degree of vulnerability of your devices to problems, a special toolkit and a ready-made Live image for creating a bootable USB drive have been prepared. Linux The issues affect the mac80211 wireless network, individual wireless drivers, and firmware loaded onto wireless cards. A patch set covering the mac80211 stack and ath10k/ath11k drivers has been released to address the vulnerabilities. Some devices, such as Intel wireless cards, also require a firmware update.
Tests of typical devices:
Wireless card tests in Linux и Windows:
Wireless card tests in FreeBSD and NetBSD:
Manufacturers were notified about the problems 9 months ago. Such a long embargo period is due to the coordinated preparation of updates and delays in the preparation of changes to the specifications by ICASI and the Wi-Fi Alliance. Initially, it was planned to reveal information on March 9, but after weighing the risks, it was decided to postpone the publication for another two months in order to give more time to prepare patches, given the non-triviality of the changes being made and the difficulties arising from the COVID-19 pandemic.
It is noteworthy that despite the embargo, Microsoft released a March update Windows Fixed some vulnerabilities ahead of schedule. The information was delayed a week before the originally scheduled release date, and Microsoft failed to make changes to the scheduled update, which was ready for publication. This created a threat to users of other systems, as attackers could obtain information about the vulnerabilities by reverse engineering the update contents.
Source: opennet.ru
