M.M.SW wrote:
中華電信旗下Hinet寬頻用戶超過400萬,
加上全臺超過5萬個公共無線網路服務CHT Wi-Fi熱點,
在無線上網的局端、終端裝置尚未修補漏洞之前恐曝露在駭客攻擊的風險下。...(恕刪)
瞭解原理後,其實會發現WPA2漏洞主要是利用WPA2安全協議在裝置(Client)上的漏洞,由於AP和Client端雙方要進行連接到傳輸資料,必須經過四次的「握手」過程:
1.AP傳送一組初始化向量(nonce)給Client。
2.Client接到AP的初始化向量後,產生另一個初始化向量發給AP。
3.AP通知建構了一個512位元的一對一金鑰PTK(Pairwise Transient Key),通知Client是否要使用這個PTK。
4.若Client要使用這個PTK,Client就會安裝金鑰,然後傳送OK的回應給AP,結束握手的過程。
問題出在第3次握手時,裝置會安裝AP所分配的金鑰,並透過加密協議去加密資料封包,若這個過程發生資料遺失,就不會產生第4次握手,而AP沒有收到Client的正確回應,就會重複步驟1-3,一再傳送金鑰給Client去安裝,當Client多次重複安裝相同的加密金鑰,會讓初始向量被重置,透過比對,傳輸封包就可能被解密。所以,若Client上金鑰只能安裝一次,就沒有可趁之機了。
畢竟純802.1x radius 就是 portbased 的技術而已,並不會再往後段的WPA 2 enterprise的flow 走下去,因此現階段來說反而安全?
有沒有大大想對這部分發表意見?
t0349243 wrote:
一般企業網路,如果...(恕刪)
還是要做CLIENT更新.... AP 的部分等原廠釋出後也要找時間處理
以我目前管理的設備來說
Q: How are Aruba controlled APs and Mobility Controllers running ArubaOS affected?
A: ArubaOS contains both authenticator and supplicant functionality. The two are affected differently:
• As an authenticator (standard WPA2 functionality where the AP/controller exchanges encrypted information with a Wi-Fi client), ArubaOS is not vulnerable to the key reinstallation attack in the 4-way and group key handshakes. This is because ArubaOS stores the latest value of the replay counter and will reject any message that contains a different replay value.
• As an authenticator in the 802.11r Fast BSS Transition (FT) handshake, ArubaOS is vulnerable to the key reinstallation attack. This is made possible because the first two messages of the FT handshake do not contain a replay counter. Aruba has mitigated this attack through a software update. Note that 802.11r is not enabled by default in ArubaOS; the majority of Aruba customers will not be affected. For customers who have enabled 802.11r, disabling it will prevent the attack. Bug 168097 is tracking this issue.
• The “mesh” feature of ArubaOS allows APs to connect to other APs over wireless links for the purpose of network extension. Mesh links are protected using WPA2, and the open-source Linux “wpa_supplicant” utility is used to provide 802.1X authentication. The research paper points out that wpa_supplicant is vulnerable to the key reinstallation attack. Mesh is not enabled by default in ArubaOS. For customers who have enabled this feature, disabling it will prevent the attack. Bug 168489 is tracking this issue.
Q: Do I need to upgrade ArubaOS?
A: Upgrading your ArubaOS software is recommended to fully mitigate all vulnerabilities.
有兩個部分會被攻擊,但是我的環境都沒使用802.11r / Mesh
所以我會等過陣子大家試驗過最新的firmware 有沒有問題後才更新
至於Client 的部分 負責WSUS 的同事早就派送出去了
Allen Yeh
內文搜尋
從 APP 打開
X