On April 10, 2019, a research paper entitled Dragonblood: Analysing WPA3’s Dragonfly Handshakewas made publicly available. This paper describes how the Simultaneous Authentication of Equals (SAE) handshake, defined in IEEE-802.11-2016 and implemented as part of the Wi-Fi Alliance’s Wi-Fi Protected Access 3 (WPA3) security suite, has recently been identified to have multiple vulnerabilities.
An attacker could exploit these vulnerabilities to attempt the offline recovery of the password used to secure a Wi-Fi network or perform a denial of service attack against vulnerable access points. Cisco Access points are not affected by any of the vulnerabilities described. The Cisco AireOS and IOS-XE releases that support SAE for WPA3-Personal will also include protection mechanisms against these vulnerabilities. WPA3 clients may need to be updated and Cisco recommends finding the latest information from vendors’ websites.
Although no Cisco products are affected, Cisco understands that customers are interested in understanding the vulnerabilities in order to assess WPA3 clients’ vulnerabilities. This document provides a summary of the issues raised in the vulnerability disclosure.
Simultaneous Authentication of Equals (SAE) isa password authenticated key exchange intended to provide resistance to offline dictionary attacks which is one of the major challenges in WPA-2 Personal (PSK). SAE is defined in the 802.11 standard, and WPA3 uses SAE in the WPA3-Personal (PSK) mode. Please note that WPA3-Enterprise mode (with 802.1X/EAP) is not affected by the vulneraibioty disclosure. When using SAE (in WPA3-personal), the researcher has found that several vulnerabilities were possible:
Denial of Service attacks: with SAE, the initiating station (typically the client) starts by sending a commit frame, which content is built from the PSK and random numbers. Processing that frame and generating an answer is computationally expensive on the AP. An attacker could use this fact to generate a large number of commit frames from fake MAC addresses and overload the AP. Cisco APs incorporate automatic detection and blacklisting of misbehaving clients as well as anti-exhaustion mechanisms. The effect of such attack on clients in a Cisco network may be a slower handshake completion.
Backward compatibility attack: To accomodate older clients that only support WPA2-Personal and aid in the transition from WPA2-Personal to WPA3-Personal, a WPA3-Personal transition mode was created (thus an SSID allowing both WPA3-PSK and WPA2-PSK). An attacker could spoof the AP MAC address and force clients to a WPA2 mode (then use known attacks against WPA2-PSK to recover the PSK). Cisco supports both “WPA3-Personal Only” and “WPA2+WPA3 Personal” mode (which is the mixed mode.) Cisco recommends configuring WPA-3 only WLANs and avoid configuring WLANs in mixed mode.
SAE group key negotiation attack: when sending the commit frame, the initiating side (typically the client) mentions the security group algorithm that it wants to use. If the AP does not support that group, it can return a decline message, forcing the initiating station to choose another group (until a group algorithm supported by both sides is found). An attacker can impersonate an AP and force the stations to choose a weaker, or a computationally expensive, group (thus attempting to exhaust the AP resources). Cisco access points are not susceptible to this attack. Cisco encourages customers to verify susceptibility of this attack with endpoint vendors.
Password partitioning: finding the PSK from the SAE generated strings is considered nearly infeasible in reasonable time with current computing power and techniques. However, an attacker could attempt to guess which subset of passwords the PSK may belong to, by using two possible techniques. WPA3 mandates the support of DH-Group 19 (256-bit ECG), but allows support for other DH groups. When multiplicative groups mod a prime p (MODP groups) is used, the attacker could measure the time that the AP takes to answer to the commit frame, guess the time the AP took to compute its own commit frame, then attempt to measure which subset of passwors would require that same computation time (versus faster or slower computation). This is on the AP side. Cisco APs are not vulnerable to this attack, and do not support MODP groups. The attacker could also compromise a client station, then observe the station memory, guess the commit frame computation time and then also attempt to measure which subset of passwors would require that same computation time. This attack is only valid for client stations, and can be applicable to any DH group. Cisco recommends verifying with the station vendor if its operating system is protected against such attack, for example with anti-malware mechanisms.
Cisco access points and implementation of SAE are not vulnerable to these attacks and will continue to stay abreast of developments in security vulnerabilities. Cisco recommends verifying susceptibility of these issues with vendors. In addition, Cisco best practices include the use of WPA3-Enterprise, using WPA3-PSK if necessary, and avoiding WPA3+WPA2-PSK hybrid WLANs.
Hello everyone, I have a problem I need to solve with my WLC MAc filtering. I found ton of topics on how to block mac addresses on certain SSID on WLC however I didn't find even one that properly explains how to allow only few mac addresses to connec...
Hi everybody;I have the following question, i just installed and configured WLC controller with 7 AP's, the management interface have the ip address 192.168.10.90. i am able to ping the interface vlan 10 (internally is the management vlan) of switch 1 (19...
I understand that the Cisco WLC has the ability to bridge Bonjour services between subnets. We have an issue with Bonjour services where sometimes clients cannot Airplay to an Apple TV that is on the same subnet as the client (they cannot find the Ap...
Hi We need to purchase 2802i AP's which are enabled to capwap as soon as they are taken out of the box. The company that I work with recently bought AP's that were 2802i with the model number AIR-2802i-E-K9 which we found to be ME by default. Th...
Hi All, I am currently running Cisco 2800 ME version 126.96.36.199 and have 4 AIR-AP2802I-E-K9 in the environment. Since the setup has been installed we have regular reports of clients disconnecting and when they reconnect everything is fine.&n...