WPA2 KRACK Vulnerability Announced

On 16 ottobre 2017, research was made public on a vulnerability affecting a majority of 802,11 Wireless LAN (WLAN) devices and networks. This vulnerability, referred to as a Key Reinstallation Attack (KRACK), impacts the WPA and WPA2 authentication procedure that is used on most WLAN networks. An intruder who is within physical range of a specific device’s transmission to an access point and can capture the initial WPA/WPA2 handshake can spoof the access point, launch a “man-in-the-middle” attack, and then manipulate the key exchange to enable decryption of otherwise encrypted WLAN traffic for ensuing packets.

For further details on the vulnerability, refer to the original research paper Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 by Mathy Vanhoef and Frank Piessens from imec-DistriNet, Katholieke Universiteit Leuven.

How this impacts users of 802,11 networks:

Networks that use WPA or WPA2 procedures to setup authentication and encryption may be exposed until they have been properly patched. This means that data transmitted over such a WLAN connection may be intercepted and decrypted by an attacker within packet capture range of the transmission. In some cases, an attacker may also inject traffic in the connection.

WLAN traffic that is encrypted beyond standard WLAN encryption is not directly exposed. Many web sites, for example, use https instead of http to encrypt web traffic. The KRACK vulnerability does not directly expose this traffic to decryption since it is encrypted above WLAN layer 2; only the WLAN layer 2 encryption would be exposed. Traffic that is tunneled using a secured VPN over a WLAN connection is not exposed for the same reason.

For NETSCOUT customers:

NETSCOUT has assessed this vulnerability’s impact on products, and are developing a proper course of action. In summary:

  • AirMagnet Enterprise: A Dynamic Threat Update (DTU) alert for KRACK was released on 6 dicembre 2017. A patch to address the KRACK vulnerability on sensors’ WLAN connections for Automated Health Check was also released on 6 dicembre 2017.
  • AirMagnet Mobile products, OptiView XG: apply Microsoft Windows security patches to protect against this vulnerability.
  • OneTouch G2, AirCheck G2:  Any necessary patches to address the KRACK vulnerability will be made available.

Please refer back to this site for further updates.

Listed below is the known impact and advisory for each WLAN product.

 

  • AirMagnet Enterprise

On 6 dicembre 2017, NETSCOUT released a Dynamic Threat Update (DTU) to detect and alert on  KRACK attacks. This update is available for all AirMagnet Enterprise customers on version 11,0 or higher and with the Series 4 and/or Series 6 sensor models.  

Also on 6 dicembre 2017, NETSCOUT released software version 11.1.1 which includes WPA supplicant fixes to address the following vulnerabilities:

  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.

(Note: “CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation” is not applicable to sensors.)

These WPA supplicant fixes apply to the Automated Health Check (AHC) feature in which AirMagnet Enterprise sensors (Series 4 and Series 6 models) connect to a WLAN using WPA/WPA2 for testing connectivity.

Software Sensor Agents run on Windows 7 platforms and will be protected by applying the latest security updates from Microsoft.

  • AirMagnet Mobile

The AirMagnet Mobile tools suite (AirMagnet Survey PRO/Express, AirMagnet WiFi Analyzer, and AirMagnet Spectrum XT) all use wireless data, but the tests they run are different for each product.

For AirMagnet Survey PRO/Express, during an Active survey to a WLAN using WPA/WPA2, the software will transmit or receive:

  • IP addresses of network resources during association procedures. This may include but are not limited to the Access Point, DHCP server(s), and the Gateway

During an Active iPerf survey, the IP address of the iPerf server would also be transmitted. No association or transmissions occur during a Passive survey.

For AirMagnet WiFi Analyzer PRO, transmissions are only performed when using features on the Tools tab. Information transmitted/received is based upon the feature being used:

  • Site Survey
      • IP addresses of network resources during association procedures. This may include but are not limited to the Access Point, DHCP server(s), and the Gateway.
  • Onetouch Connection Test
      • IP addresses of network resources during association procedures. This may include but are not limited to the Access Point, DHCP server(s), and the Gateway.
      • IP addresses of automated resource tests. This may include but is not limited to the DHCP Server, the Gateway, Primary and Secondary DNS, as well as WINS server
      • Ping/Trace/FTP/http/https traffic to configured targets (based on test configuration).
  • Roaming
      • IP addresses of network resources during association procedures. This may include but are not limited to the Access Point, DHCP server(s), and the Gateway.
  • Throughput / iPerf
      • IP addresses of network resources during association procedures. This may include but are not limited to the Access Point, DHCP server(s), and the Gateway.
      • IP address for the iPerf server being used.

All other features on the Tools tab as well as other tabs within WiFi Analyzer are passive, no association or transmissions occur during use.

Please be aware of the resources and addresses used as configured test targets to ensure that the above-mentioned transmissions do not contain data considered sensitive.

For AirMagnet Spectrum XT, no association or transmissions occur during operation.

To patch AirMagnet Mobile products, please install the latest security updates from Microsoft. Their wireless supplicant patches will address the vulnerability in these WLAN connections.

  • OptiView XG

As OptiView XG can connect to WLANs as a wireless client, users should apply the appropriate Windows Updates to address the KRACK vulnerability. This also addresses the use of the AirMagnet Mobile software products on OptiView XG.

  • OneTouch G2

On 27 aprile 2018, NETSCOUT released firmware version 6.5.2 which includes WPA supplicant fixes to address the AutoTest feature in which OneTouch AT connects to a WLAN using WPA/WPA2 for testing connectivity, and when using web-browser or Telnet communication over the OneTouch AT Wi-Fi test port. Two USB-based Wi-Fi adapters certified for OneTouch to use for management port connectivity have been tested for KRACK vulnerability when used with OneTouch running firmware version 6.5.2: Asus USB-N10 Nano and Netgear WNA1000M.

All OneTouch Gold Support customers can download the v6.5.2 code from MyAccount. OneTouch AT customer with unit running v6.5.1 firmware that has been claimed to Link-Live can request software update directly from the unit’s “Tool/Update Software” menu. All other customers can contact NETSCOUT Technical Support by sending email to [email protected] or call +1-800-708-4784 (option 3).

OneTouch AT runs tests to a WLAN using WPA/WPA2 as part of its AutoTest and Wi-Fi Validation Test. A OneTouch AT may transmit or receive:

  • IP addresses of network resources and device authentication information to the WLAN/access point during association procedures as a part of the AutoTest or WiFi Validation Test
      • This may include but are not limited to the Access Point, DHCP server(s), and the Gateway.
  • IP addresses of test targets (via Ping, and TCP connect test during AutoTest)
      • This may include but is not limited to the DHCP Server, the Gateway, Primary and Secondary DNS.
  • IP addresses of test targets (via ICMP Ping, TCP Connect, Multicast group, HTTP, RSTP as configured as a part of an Autotest)
  • IP address of EMAIL server, and EMAIL of sender and receiver, and user’s login name and password to the EMAIL server when EMAIL test is included in Autotest
      • User’s login credential is only sent when Login credential to the Email Server is enabled in the test.
  • IP address of FTP server, and user’s login name and password to the server when FTP test is included in Autotest
  • IP addresses of the endpoint If WiFi performance testing is included as a part of the Auto-test

If automatic result uploads to Link-Live via the Wi-Fi port is enabled, the OneTouch AT will transmit:

  • https URLs and test result data (including network IP addresses if so configured) to LinkLive (encrypted by https, which is not impacted by the KRACK vulnerability)

The OneTouch AT also support Web-Browser or Telnet communication over the OneTouch AT Wi-Fi test port. The data transmitted that are not encrypted beyond the standard 802,11 encryption, not limited to IP address of the target web/telnet server, could be exposed.

Please be aware of the Auto-test configuration and Link-Live upload settings to ensure that the above-mentioned transmissions do not contain data considered sensitive.

A patch to address the vulnerability in these WLAN connections will be made available.

  • AirCheck G2

AirCheck G2 runs tests to a WLAN using WPA/WPA2 as part of its Connection Test as well as (if configured) part of an Auto-Test. During this connection, an AirCheck G2 may transmit or receive:

  • IP addresses of network resources during association procedures
      • This may include but are not limited to the Access Point, DHCP server(s), and the Gateway
  • IP addresses of test targets (via Ping or TCP as configured)
      • This may include but is not limited to the DHCP Server, the Gateway, as well as Primary and Secondary DNS

If iPerf performance testing is performed, the AirCheck G2 will also transmit or receive:

  • IP addresses of Test Accessories

If automatic uploads to Link-Live are enabled, the AirCheck G2 will transmit:

  • https URLs and test result data (including network IP addresses if so configured) to LinkLive (encrypted by https, which is not impacted by the KRACK vulnerability)

Please be aware of the Test Target and Link-Live upload settings to ensure that the above-mentioned transmissions do not contain data considered sensitive.

A patch to address the vulnerability in these WLAN connections will be made available.

On 27 aprile 2018, NETSCOUT released firmware version 6.5.2 which includes WPA supplicant fixes to address the AutoTest feature in which OneTouch AT connects to a WLAN using WPA/WPA2 for testing connectivity, and when using web-browser or Telnet communication over the OneTouch AT Wi-Fi test port.  Two USB-based Wi-Fi adapters certified for OneTouch to use for management port connectivity have been tested for KRACK vulnerability when used with OneTouch running firmware version 6.5.2: Asus USB-N10 Nano and Netgear WNA1000M.

All OneTouch Gold Support customers can download the v6.5.2 code from MyAccount.  OneTouch AT customer with unit running v6.5.1 firmware that has been claimed to Link-Live can request software update directly from the unit’s “Tool/Update Software” menu.  All other customers can contact NETSCOUT Technical Support by sending email to [email protected] or call +1-800-708-4784 (option 3).