Thwart KRACK!

There have been a number of posts today regarding the public announcements of new wireless vulnerabilities. I wanted to share my insights and information on it from a different perspective. 

A paper recently released is titled - "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2." This paper discusses seven vulnerabilities affecting session key negotiation in both the Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access II (WPA2) protocols. 

Since all protected Wi-Fi networks use a 4-way handshake to generate a fresh session key, the authors of the research paper showed that this 4-way handshake is vulnerable to a key reinstallation attack. KRACK as it is being termed, breaks Peerkey, group key, and Fast BSS Transition handshakes. They note that the impact varies depending on the handshake being attacked, and the data-confidentially protocols in use. However, not only are APs affected but client devices too. They proved that this attack is exceptionally devastating against Android 6.0 devices. 

These vulnerabilities are industry wide, however, wireless vendors are starting to announce their mitigation paths. Cisco just announced theirs this morning around 10a EST. And has noted their wireless products affected by these vulnerabilities. In the SA ID: cisco-sa-20171016-wpa (link down below in related material section) there are a list of each specific vulnerabilities found thru these discoveries and affected Cisco products. Please take your time to review both the Cisco SA and the research paper.

Quick Summary: ( by Cisco PSIRT Team)
Nine of the vulnerabilities (all but CVE-2017-13082) impact the supplicant, or wireless client. CVE-2017-13082 is the only vulnerability impacting the authenticator (access point). When I mention / talk about "supplicant" or "wireless client" this includes any device association to a wireless access point in a client role - this would include not only laptops, phones with wireless capabilities, etc. but also network devices that work as wireless clients - workgroup bridges, media extenders and similar being examples of such devices. Because those vulnerabilities are protocol-level vulnerabilities (unlike implementation-level vulnerabilities), most wireless vendors implementing the WPA/WPA II protocols and related protocols will be affected by one or more of these vulnerabilities.

Check if FT is enabled:
How to check if FT is enable on the WLC:
(w5520-1) >show wlan 1

   802.11 Authentication:........................ Open System
   FT Support.................................... Enabled <<<<

How to check if FT is enabled on a converged switch:
c3850-1>show wlan id 1 | i FT\ S
    FT Support                                 : Disabled <<<<

Discovering the attack:
Several of the possible attacks involve the attackers AP to “present” the same SSID as the real AP is announcing, but operating on a different channel. This can be easily detected by Cisco WLC controlled infrastructure APs. Since this traffic can be captured, there are ways to gain visibility into any rogue APs within your Cisco WLAN. 

There are 2 ways they are proposing to do the attacks:
1. You can fake infrastructure AP to announce same SSID, same MAC address, but on a different channel. This method can be detected easily by us, nothing too complex or impacting to do.
2. The second one requires the injecting of frames into a valid connection, forcing the client to react. This is less visible, but detectable, to either get null key attacks, or IV reuse this involves current AP to detect data frames sent with its own mac address on currently operating channel. There are Wireless SMEs / Teams looking into this one to ensure how it can be fully thwarted.

On Cisco WLC:
1. Make sure rogue detection is enabled
2. Create rule to flag rogues using “managed SSIDs” as malicious:3. Ensure that channel monitoring is set to “all channels” for both 802.11b/1a networks:

Also, the attack involves using the infrastructure AP own MAC address to transmit frames to client, this could also be detected by the APd, although the detection probabilities are variable, depending on frequency of transmission.

Lastly, it is always recommended / suggested that you read the latest Cisco WLAN Best Practices Guide to ensure optimal performance of your Cisco Wireless Deployment. You can get to the latest BP below. 

Related Material:
Please check out the Security Advisory Report -
Cisco Wireless Best Practices -
Please visit Shaun Gomez's site to learn about the facts on KRACK -
Meraki update on this ... -