Mention reference implementation CVEs

This commit is contained in:
Mathy Vanhoef 2020-09-30 07:36:02 +04:00
parent 9b4d2334a0
commit 2560a043c3
2 changed files with 37 additions and 24 deletions

View File

@ -267,6 +267,11 @@ device and are further discussed below the table.
| `eapol-amsdu-bad BP` | Send malformed A-MSDU disguised as EAPOL during handshake (use tcpdump). | `eapol-amsdu-bad BP` | Send malformed A-MSDU disguised as EAPOL during handshake (use tcpdump).
| `eapol-amsdu-bad I,P` | Same as above, except the frame is injected after obtaining an IP. | `eapol-amsdu-bad I,P` | Same as above, except the frame is injected after obtaining an IP.
How commands match to CVEs is listed below. Note that for implementation flaws we list a reference
CVE identifier, however, vendors may use different CVEs because an implementation vulnerability normally
receives a unique CVE for each affected codebase. We nevertheless recommend to always refer to (or somehow
include) these reference CVEs as a way to easily refer to each type of discovered implementation flaw.
## 7.1. Sanity and implementation checks ## 7.1. Sanity and implementation checks
- `ping I,E,E`: This test should only fail if the tested device doesn't support fragmentation. In case - `ping I,E,E`: This test should only fail if the tested device doesn't support fragmentation. In case
@ -343,19 +348,27 @@ for details.
which can be useful in case there is a small delay between completion of the handshake and installing the which can be useful in case there is a small delay between completion of the handshake and installing the
negotiated key. negotiated key.
## 7.5. Mixed plain/encrypt attack (§6.3) ## 7.5. Non-consecutive PNs attack (§6.2 -- CVE-2020-26146)
In our experiments, this test only failed against Linux and against devices that don't support fragmentation.
## 7.6. Mixed plain/encrypt attack (§6.3 -- CVE-2020-26147/26140/26143)
- `ping I,E,P` and `linux-plain`: if this test succeeds the resulting attacks are described in Section 6.3 - `ping I,E,P` and `linux-plain`: if this test succeeds the resulting attacks are described in Section 6.3
of the paper. Summarized, in combintation with the A-MSDU or cache vulnerability, it can be exploited to of the paper. Summarized, in combintation with the A-MSDU or cache vulnerability, it can be exploited to
inject packets. When not combined with any other vulnerabilities the impact is implementation-specific. inject packets. When not combined with any other vulnerabilities the impact is implementation-specific
(CVE-2020-26147).
- `ping I,P,E`: if this test succeeds it is trivial to inject plaintext frames towards the device _if_ - `ping I,P,E`: if this test succeeds it is trivial to inject plaintext frames towards the device _if_
fragmentation is being used by the network. fragmentation is being used by the network (CVE-2020-26147).
- `ping I,P,P` and `ping I,P`: if this test succeeds it is trivial to inject plaintext frames towards the - `ping I,P`: if this tests succeeds the implementation accepts plaintext frames in a protected Wi-Fi
device independent of the network configuration. network, allowing trivial packet injection (CVE-2020-26140).
## 7.6. Broadcast fragment attack tests (§6.4) - `ping I,P,P`: if this test succeeds the implementation accepts _fragmented_ plaintext frames in a protected
Wi-Fi network, allowing trivial packet injection (CVE-2020-26143).
## 7.7. Broadcast fragment attack tests (§6.4 -- CVE-2020-26145)
- Because all these tests send broadcast frames, which are not automatically retransmitted, it is recommended - Because all these tests send broadcast frames, which are not automatically retransmitted, it is recommended
to **execute these tests several times**. This is because background noise may prevent the tested devices to **execute these tests several times**. This is because background noise may prevent the tested devices
@ -369,7 +382,7 @@ for details.
use the filter `icmp` and in wireshark you can also use the filter `frame contains "test_ping_icmp"` use the filter `icmp` and in wireshark you can also use the filter `frame contains "test_ping_icmp"`
to more easily detect this ping request. to more easily detect this ping request.
## 7.7. A-MSDUs EAPOL attack tests (§6.5) ## 7.8. A-MSDUs EAPOL attack tests (§6.5 -- CVE-2020-26144)
- `eapol-amsdu[-bad] BP`: These two tests inject the malicious frame while the client is still connecting - `eapol-amsdu[-bad] BP`: These two tests inject the malicious frame while the client is still connecting
to the network (i.e. during the execution of the 4-way handshake). This is important because several to the network (i.e. during the execution of the 4-way handshake). This is important because several
@ -383,7 +396,7 @@ for details.
test variant. Note that if this tests succeeds, the impact of the attack is identical to implementations test variant. Note that if this tests succeeds, the impact of the attack is identical to implementations
that correctly parse such frames (for details see Section 3.6 and 6.8 in the paper). that correctly parse such frames (for details see Section 3.6 and 6.8 in the paper).
## 7.8. Troubleshooting checklist ## 7.9. Troubleshooting checklist
In case the test tool doesn't appear to be working, check the following: In case the test tool doesn't appear to be working, check the following:
@ -538,7 +551,7 @@ Finally, in case the test `ping-frag-sep` doesn't succeed, you should try the fo
shows that the device keeps fragments in memory after (re)connecting to a network, meaning its vulnerable to cache shows that the device keeps fragments in memory after (re)connecting to a network, meaning its vulnerable to cache
attacks. attacks.
## 8.4. Mixed plain/encrypt attack (§6.3) ## 8.4. Mixed plain/encrypt attack (§6.3 -- CVE-2020-26147)
- `ping I,E,E --amsdu`: This test sends a fragmented A-MSDU frame, which not all devices can properly receive. - `ping I,E,E --amsdu`: This test sends a fragmented A-MSDU frame, which not all devices can properly receive.
This test is useful to determine the practical exploitability of the "Mixed plain/encrypt attack". This test is useful to determine the practical exploitability of the "Mixed plain/encrypt attack".
@ -548,7 +561,7 @@ Finally, in case the test `ping-frag-sep` doesn't succeed, you should try the fo
- `ping I,E,P,E` and `linux-plain 3`: If all the other mixed plain/encrypt attack tests in didn't succeed, you - `ping I,E,P,E` and `linux-plain 3`: If all the other mixed plain/encrypt attack tests in didn't succeed, you
can try these two extra tests as well. I think it's quite unlikely this will uncover a new vulnerability. can try these two extra tests as well. I think it's quite unlikely this will uncover a new vulnerability.
## 8.5. Broadcast fragment attack tests (§6.4) ## 8.5. Broadcast fragment attack tests (§6.4 -- CVE-2020-26145)
- Because all these tests send broadcast frames, which are not automatically retransmitted, it is recommended - Because all these tests send broadcast frames, which are not automatically retransmitted, it is recommended
to **execute these tests several times**. This is because background noise may prevent the tested devices to **execute these tests several times**. This is because background noise may prevent the tested devices
@ -572,7 +585,7 @@ Finally, in case the test `ping-frag-sep` doesn't succeed, you should try the fo
is properly received, for example using the filter `icmp` or `frame contains "test_ping_icmp"`. An alternative variant is properly received, for example using the filter `icmp` or `frame contains "test_ping_icmp"`. An alternative variant
is `eapfrag BP,AE` in case the normal variant doesn't work. is `eapfrag BP,AE` in case the normal variant doesn't work.
## 8.6. A-MSDU EAPOL attack tests (§6.5) ## 8.6. A-MSDU EAPOL attack tests (§6.5 -- CVE-2020-26144)
This test can be used in case you want to execute the `eapol-amsdu[-bad] BP` tests but cannot run tcpdump or wireshark on This test can be used in case you want to execute the `eapol-amsdu[-bad] BP` tests but cannot run tcpdump or wireshark on
the AP. This means this test is only meaningfull against APs. In particular, the command `eapol-amsdu[-bad] BP --bcast-dst` the AP. This means this test is only meaningfull against APs. In particular, the command `eapol-amsdu[-bad] BP --bcast-dst`
@ -580,7 +593,7 @@ will cause a vulnerable AP to broadcast the ping request to all connected client
vulnerable, execute this command, and listen for broadcast Wi-Fi frames on a second device that is connected to the AP by vulnerable, execute this command, and listen for broadcast Wi-Fi frames on a second device that is connected to the AP by
using the filter `icmp` or `frame contains "test_ping_icmp"`. using the filter `icmp` or `frame contains "test_ping_icmp"`.
## 8.7. AP forwards EAPOL attack tests (§6.6) ## 8.7. AP forwards EAPOL attack tests (§6.6 -- CVE-2020-26139)
- `eapol-inject 00:11:22:33:44:55`: This test is only meaningfull against APs. To perform this test you have to connect - `eapol-inject 00:11:22:33:44:55`: This test is only meaningfull against APs. To perform this test you have to connect
to the network using a second device and replace the MAC address `00:11:22:33:44:55` with the MAC address of this second to the network using a second device and replace the MAC address `00:11:22:33:44:55` with the MAC address of this second
@ -595,7 +608,7 @@ using the filter `icmp` or `frame contains "test_ping_icmp"`.
to check this. Use the wireshark or tshark filter `(wlan.fc.frag == 1) || (wlan.frag > 0)` to detect fragmented frames. I found it to check this. Use the wireshark or tshark filter `(wlan.fc.frag == 1) || (wlan.frag > 0)` to detect fragmented frames. I found it
very rare for this attack to work. very rare for this attack to work.
## 8.8. Abusing no fragmentation support (§6.8) ## 8.8. No fragmentation support attack test (§6.8 -- CVE-2020-26142)
- `ping I,D,E`: If this test succeeds, the device doesn't support (de)fragmentation, but is still vulnerable to attacks. The - `ping I,D,E`: If this test succeeds, the device doesn't support (de)fragmentation, but is still vulnerable to attacks. The
problem is that the receiver treats the _last_ fragment as a full frame. See Section 6.6 in the paper for details and how this problem is that the receiver treats the _last_ fragment as a full frame. See Section 6.6 in the paper for details and how this

View File

@ -10,23 +10,23 @@
## Common Implementation Vulnerabilities ## Common Implementation Vulnerabilities
- **Reassembling encrypted fragments with non-consecutive packet numbers**: Vulnerable WPA, WPA2, or WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. - **CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers**: Vulnerable WPA, WPA2, or WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.
- **Reassembling mixed encrypted/plaintext fragments**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. - **CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
- **Accepting plaintext broadcast fragments as full frames (in an encrypted network)**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. - **CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network)**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
- **Accepting plaintext A-MSDU frames that start with an EAPOL LLC/SNAP header (in an encrypted network)**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid EAPOL LLC/SNAP header. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. - **CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an EAPOL LLC/SNAP header (in an encrypted network)**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid EAPOL LLC/SNAP header. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
## Other Implementation Vulnerabilities ## Other Implementation Vulnerabilities
- **Accepting plaintext data frames in a protected network**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. - **CVE-2020-26140: Accepting plaintext data frames in a protected network**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
- **Accepting _fragmented_ plaintext data frames in a protected network**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. - **CVE-2020-26143: Accepting _fragmented_ plaintext data frames in a protected network**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
- **Forwarding EAPOL frames even though the sender is not yet authenticated**: Vulnerable Access Points (APs) forward EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. An adversary might be able to abuse this in projected Wi-Fi networks to launch denial-of-service attacks against connected clients, and this makes it easier to exploit other vulnerabilities in connected clients. - **CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated**: Vulnerable Access Points (APs) forward EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. An adversary might be able to abuse this in projected Wi-Fi networks to launch denial-of-service attacks against connected clients, and this makes it easier to exploit other vulnerabilities in connected clients.
- **Not verifying the TKIP MIC of fragmented frames**: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. - **CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames**: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
- **Processing fragmented frames as full frames**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. - **CVE-2020-26142: Processing fragmented frames as full frames**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.