Recommendations to Protect Wi-Fi Traffic: Management, Control, and Data from Vulnerability Exploitation

Summary

The article aims to inform customers on precautionary measures that they can introduce in their network to minimize any potential exploitation from vulnerabilities.

Question

Is the network using Wi-fi as well as network features to protect and minimize potential exploitation from vulnerabilities?

Customer Environment

vSZ 5.2.2, vSZ 6.0.0 and the AP models supported on these platforms; and respective releases

Root Cause

Potential Security Vulnerability

Symptoms

When customer extensively uses open SSID with WPA2/PSK, for example, the likely hood of such network being exposed to vulnerability exploitation increases significantly.

Troubleshooting Steps

In a scenario where network administrators have experienced or foresee a potential attack on their wireless clients, They can run vulnerability checks on their Wi-Fi networks by using a tool called Aircrack-ng and Wireshark. Wireshark is used to monitor network activity. Aircrack-ng is more like an aggressive tool that lets you hack and give access to Wireless connections. Thinking as an intruder has always been the safest way to protect against a hack. The network administrator might be able to grasp the exact actions that an intruder will take to obtain access to your system by learning about Aircrack. You can then conduct compliance checks on your own system to ensure that it is not insecure. 

Workaround

The users should ensure that they implement a multi-faceted, layered security strategy to protect all aspects of their Wi-Fi network. The following recommendations are proposed to customers to minimize impact from being exploited by Man In the Middle (MITM) as an example.

A) Use SSID the employs 802.1x EAP-TLS or PEAP or TTLS

EAP-TLS relies on certificates to authenticate the network to the clients and the clients to the networks. Requiring the network (the servers) to have certificates is a common theme in most security architectures. However, the requirement that each client be issued a certificate leads to the requirement of the wide spread deployment of PKI. Since this is sometimes not a cost effective option, a few alternative protocols have been proposed: EAP-TTLS (tunneled TLS) and PEAP. Both of these protocols use certificates to authenticate the network (the server) to the client but do not use certificates to authenticate the client to the server. Thus, a client no longer needs a certificate to authenticate itself to the server: instead the clients can use password based schemes (CHAP, PAP, MS-CHAPv2 and so on) to authenticate themselves.

Please use vSZ admin guide to deploy 802.1x authentication based WLAN:
-- vSZ Admin guide
-- Services Profile: 802.1x Authentication section

Client connecting to such SSIDs are well protected and makes harder for a malicious actor to deceive the client to join a network that not authentic. Prior to deploying secure SSIDs, customers are requested to evaluate design of the network, evaluate all technical implications and take into consideration any performance impacts, if any.

B) Consideration to deploy Wireless Intrusion Prevention Systems (WIPS) & Wireless Intrusion Detection Systems (WIDS) 

WIDS is actually a broader concept than catching break-in attempts. It also includes verifying the access points that are on the network, identifying any that shouldn't be there or have security issues (e.g. rouge APs), and detecting attacks on APs/clients. For example, Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework.

In Wi-Fi: wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention). The main functions of WIPS is to identify malicious activity, log information, attempt to block/stop activity, and report activity. For example, WatchGurad provide WIPS products for Wi-fi Networks

Please use vSZ admin guide to deploy vSZ's WIPS/WIDS capability. Additional tools are also available from other vendors as exemplified above.
-- vSZ WIPS/WIDS section

Despite WIPS and WIDS benefit, the customer is requested to evaluate the current network architecture and design before deploying such tools.

C) Enable Wi-Fi Protected Access-3 (WPA3) in the network

WPA3 standard seeks to improve password security by being more resilient to word list or dictionary attacks. WPA3 also offers forward secrecy. This adds the considerable benefit of protecting previously exchanged information even if a long-term secret key is compromised.
Forward secrecy is already provided by protocols like TLS by using asymmetric keys to establish shared keys.

In addition to aforementioned enhancements, WPA3 protects management frames (PMF). The unicast PMFs' are protected from both eavesdropping and forging; the multicast management action frames are protected from being forged.

Customers are high encouraged to deploy enable WPA3 SSIDs.  

NB: It should be noted that initial association frame for example and controls frames of the 802.11 protocols are currently protected under WPA3. 

Enabling WPA3: The admin guide should be used as guide to enable WPA3 on a WLAN:
Admin Guide: Section: "Creating a WLAN Configuration"; subsection: "Encryption options" is where WPA3 can be selected for chosen WLAN to protect 802.11 Management Frames
-- https://docs.commscope.com/bundle/sz-522-adminguide-sz300vsz/page/GUID-52C7C338-450C-4C3A-A45B-BD96E88F086B.html
-- https://support.ruckuswireless.com/documents/3579-smartzone-5-2-2-ga-administrator-guide-sz300-vsz-h

Resolution

Recent 802.11 Vulnerability:

The following Common Vulnerabilities and Exposures (CVEs) based on "Aggregation & Fragmentation Attacks Against Wi-Fi" vulnerability (tracked as usirp02_2020) reported to Wi-Fi Alliance will made public on 11th May 2021:

•    CVE-2020-24586 [Not clearing fragments from memory when (re)connecting to a network]
A vulnerable device does not clear its cache/memory to remove fragments of an incomplete MSDU/MMPDU from previous session after reconnection/re-association.

•    CVE-2020-24587 [Reassembling fragments encrypted under different keys]
A vulnerable device reassembles fragments encrypted under different keys in a protected network.

•    CVE-2020-24588 [Accepting non-SPP A-MSDU frames]
Devices allow the encrypted payload to be parsed as containing one or more aggregated frames instead of a normal network packet.

•    CVE-2020-26139 [Forwarding EAPOL frames even though the sender is not yet authenticated]
An issue was discovered in the kernel in NetBSD 7.1.  An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.

•    CVE-2020-26140 [Accepting plaintext data frames in a protected network]
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.

•    CVE-2020-26141 [Not verifying the TKIP MIC of fragmented frames]
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.

•    CVE-2020-26142 [Processing fragmented frames as full frames]
An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.

•    CVE-2020-26143 [Accepting fragmented plaintext data frames in a protected network]
An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.

•    CVE-2020-26144 [Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network)]
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid EAPOL LLC/SNAP header. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.

•    CVE-2020-26145 [Accepting plaintext broadcast fragments as full frames (in an encrypted network)]
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.

•    CVE-2020-26146 [Reassembling encrypted fragments with non-consecutive packet numbers]
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.

•    CVE-2020-26147 [Reassembling mixed encrypted/plaintext fragments]
An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.

The FragAttacks link is as follows:
https://support.ruckuswireless.com/fragattacks-ruckus-technical-support-response-center


Enabling WPA3: The admin guide should be used as guide to enable WPA3 on a WLAN:
Admin Guide: Section: "Creating a WLAN Configuration"; subsection: "Encryption options" is where WPA3 can be selected for chosen WLAN to protect 802.11 Management Frames
-- https://docs.commscope.com/bundle/sz-522-adminguide-sz300vsz/page/GUID-52C7C338-450C-4C3A-A45B-BD96E88F086B.html
-- https://support.ruckuswireless.com/documents/3579-smartzone-5-2-2-ga-administrator-guide-sz300-vsz-h



 

Article Number:
000011636

Updated:
May 11, 2021 10:50 AM (3 months ago)

Tags:
Configuration, Security, Troubleshooting, Known Issues and Workarounds, SZ144, SZ144 D, Ruckus Cloud WiFi, SZ300, vSZ Dataplane, Unleashed, SZ100D, virtual SmartCell Gateway, SZ100, ZoneDirector 1200

Votes:
0

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.