CVE-2018-14526

Vulnerability

The vulnerability resides in rsn_supp/wpa.c of wpa_supplicant versions 2.0 through 2.6. When processing EAPOL-Key frames with the Encrypted flag set but without the MIC flag, the Key Data field is decrypted without verifying the message integrity code (MIC). This flaw is exploitable only when TKIP is negotiated as the pairwise cipher in a WPA2/RSN network. [1][2][4]

Exploitation

An attacker within wireless range of both the access point and the client can send crafted EAPOL-Key frames with the Encrypted flag set and the MIC flag cleared. No authentication is required. The wpa_supplicant decrypts the Key Data field without integrity checking. Due to the RC4 encryption used with TKIP, the attacker can modify the plaintext via bitwise XOR operations. To recover group keys, the attacker must perform multiple connection attempts (128 per octet), each causing a disconnection and potential temporary or permanent network disablement. [4]

Impact

A successful attack allows the attacker to cause a denial of service by modifying the GTK/IGTK, preventing the station from receiving group-addressed frames. More critically, the attacker can use the client as a decryption oracle to recover the group encryption keys (GTK/IGTK), leading to disclosure of group-addressed traffic. The attack does not provide authentication bypass or remote code execution. [2][4]

Mitigation

The vulnerability is fixed in wpa_supplicant version 2.7, released on August 8, 2018. Red Hat issued RHSA-2018:3107 for Red Hat Enterprise Linux. FreeBSD provided patches in its security advisory FreeBSD-SA-18:11.hostapd. Siemens recommends updating SCALANCE W700 to v6.4 or later and SCALANCE W1700 to v1.1 or later. As a workaround, use AES-CCMP instead of TKIP in WPA/WPA2 networks. [1][2][3][4]