From 694aaa0100f3928ee0df744dbdc9782c1592e96d Mon Sep 17 00:00:00 2001 From: Mathy Vanhoef Date: Wed, 20 Jan 2021 04:30:41 +0400 Subject: [PATCH] fragattack: updated README and SUMMARY --- research/README.md | 15 +++++++++------ research/SUMMARY.md | 4 ++-- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/research/README.md b/research/README.md index 5c7e50aeb..fe238b566 100644 --- a/research/README.md +++ b/research/README.md @@ -2,9 +2,10 @@ # 1. Introduction -The discovered vulnerabilities affect all Wi-Fi networks. A short summary of all vulnerabilities can be -found [here](SUMMARY.md), although we also recommend reading the [paper](fragattacks.pdf). The resulting -attacks are identical against WPA2 and WPA3 because their CCMP and GCMP encryption ciphers are identical. +The discovered vulnerabilities affect all Wi-Fi networks. A short overview of all vulnerabilities can be +found [here](SUMMARY.md) and a summary of resulting attacks and their preconditions can be found [here](attacks.pdf). +We also recommend reading the [paper](fragattacks.pdf). Note that the attacks are identical against WPA2 +and WPA3 because their CCMP and GCMP encryption ciphers are identical. Older WPA networks by default use TKIP for encryption, and the applicability of the attacks against this cipher are discussed in the paper. To illustrate that Wi-Fi has been vulnerable since its creation, @@ -20,12 +21,14 @@ the paper also briefly discusses the applicability of the attacks against WEP. ## 2.2. Change log -**Version 1.3 (12 January 2021)**: +**Version 1.3 (20 January 2021)**: - This version is based on hostap commit `a337c1d7c` ("New TWT operations and attributes to TWT Setup and Nudge"). -- Added instructions on how to test WPA3/SAE devices using either the hunting-and-pecking or hash-to-element method. - This also implies that Management Frame Protection (MFP) is supported by the test tool. +- Added an [overview](attacks.pdf) of resulting attacks and their preconditions. + +- Added instructions on how to test WPA3/SAE devices using either the hunting-and-pecking + or hash-to-element method. This also implies that Management Frame Protection (MFP) is supported by the test tool. - Added a clarification to this README on how to use tcpdump to verify the result of certain tests. diff --git a/research/SUMMARY.md b/research/SUMMARY.md index 19f91079d..ff33d02bf 100644 --- a/research/SUMMARY.md +++ b/research/SUMMARY.md @@ -26,7 +26,7 @@ - **CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated**: Vulnerable Access Points (APs) forward EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. An adversary might be able to abuse this in projected Wi-Fi networks to launch denial-of-service attacks against connected clients, and this makes it easier to exploit other vulnerabilities in connected clients. -- **CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames**: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. - - **CVE-2020-26142: Processing fragmented frames as full frames**: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. +- **CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames**: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. +