Offline Cryptographic Attacks Targeting the Wi-Fi Protected Access 2 Protocol

On August 4, 2018, Jens Steube from the Hashcat project published an article introducing a new method to obtain cryptographic information from wireless traffic that can then be used by an attacker to attempt the offline recovery of the preshared key (PSK) used to secure a Wi-Fi network.

Both the Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access 2 (WPA2) protocols are known to be susceptible to offline cryptographic attacks when a PSK is used as an authentication mechanism. This is not a new vulnerability or a new attack against these protocols. This is a new vector that allows an attacker to obtain the information required to attempt an offline attack against the PSK.

This new method is different from the existing attacks against the PSK because it does not require an attacker to wait for an Extensible Authentication Protocol over LAN (EAPOL) authentication exchange, capture it, and proceed to attempt an offline PSK recovery. This new vector allows an attacker to extract the required information from a single wireless frame transmitted during a roaming event. The following conditions for this capture apply:

  • The frame contains a Robust Security Network-Pairwise Master Key Identification (RSN-PMKID) option
  • The wireless infrastructure is configured to use WPA2 with a PSK mode of authentication
  • The wireless infrastructure supports the Proactive Key Caching (PKC) fast roaming option (PMKID roaming)

The wireless frame can be acquired by passively listening to traffic from the wireless network during the roaming.

It is important to note that this method does not make it easier or faster to recover the PSK for a Wi-Fi network. Instead, it is easier for an attacker to collect the information required to conduct a subsequent offline cryptographic attack. The likelihood of a successful recovery of the PSK is highly dependent on the complexity of the PSK in use.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180809-wpa2

Security Impact Rating: Informational

Related:

  • No Related Posts

Building the 5G Foundation – Enterprise Private Mobility-as-a-Service

Progressive enterprises are pursuing software-defined solutions with operating models powered by analytics, automation and machine communications to improve productivity, service-levels and cost structures. With hundreds of devices and sensors connecting to a network, wired connections are becoming expensive. At the same time, the mobile networks are not ready for the massive connections and the data associated with these connections coming their way. Using conventional unlicensed methods such as Wi-Fi to address the coverage and capacity is not necessarily ideal for some mission critical workloads.  This is because: Wi-Fi is designed as a “best effort” service, it … READ MORE

Related:

  • No Related Posts

VDA registration failure over WAN

Collected Wireshark traces from VDA and DDC simultaneously while restarting the Citrix Desktop Service on VDA.

Found below highlighted things were modified by Riverbed device before network packets reaches from VDA to DDC

1. Sequence number was changed.

2. Packet payload length was modified.

3. Riverbed probe was added to the TCP options

4. Packet was detected by Wireshark as malformed packet.

VDA Snippet

User-added image

DDC Snippet

User-added image

Related:

  • No Related Posts

Cisco Wireless LAN Controller Software Control and Provisioning of Wireless Access Points Protocol Denial of Service Vulnerability

A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol component of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
 
The vulnerability is due to improper input validation on fields within CAPWAP Discovery Request packets by the affected device. An attacker could exploit this vulnerability by sending malicious CAPWAP Discovery Request packets to the Cisco WLC Software. A successful exploit could allow the attacker to cause the Cisco WLC Software to disconnect associated access points (APs). While the APs disconnect and reconnect, service will be unavailable for a brief period of time, resulting in a DoS condition.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-capwap-dos

Security Impact Rating: High

CVE: CVE-2018-0443

Related:

Cisco Wireless LAN Controller Software Control and Provisioning of Wireless Access Points Protocol Information Disclosure Vulnerability

A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol component of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.
 
The vulnerability is due to insufficient condition checks in the part of the code that handles CAPWAP keepalive requests. An attacker could exploit this vulnerability by sending a crafted CAPWAP keepalive packet to a vulnerable Cisco WLC device. A successful exploit could allow the attacker to retrieve the contents of device memory, which could lead to the disclosure of confidential information.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181017-wlc-capwap-memory-leak

Security Impact Rating: High

CVE: CVE-2018-0442

Related: