Executive Summary
Summary | |
---|---|
Title | WiFi Protected Setup (WPS) PIN brute force vulnerability |
Informations | |||
---|---|---|---|
Name | VU#723755 | First vendor Publication | 2011-12-27 |
Vendor | VU-CERT | Last vendor Modification | 2012-02-09 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 5.8 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#723755WiFi Protected Setup (WPS) PIN brute force vulnerabilityOverviewThe WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8 digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN on many wireless routers makes this brute force attack that much more feasible.I. DescriptionWiFi Protected Setup (WPS) is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WPS contains an authentication method called "external registrar" that only requires the router's PIN. By design this method is susceptible to brute force attacks against the PIN.When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total. II. ImpactAn attacker within range of the wireless access point may be able to brute force the WPS PIN and retrieve the password for the wireless network, change the configuration of the access point, or cause a denial of service.III. SolutionWe are currently unaware of a practical solution to this problem. Please consider the following workarounds:Disable WPS
Referenceshttp://sviehb.wordpress.com/2011/12/27/wi-fi-protected-setup-pin-brute-force-vulnerability/ CreditThanks to Stefan Viehböck for reporting this vulnerability. This document was written by Jared Allar. Other Information
This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify |
Original Source
Url : http://www.kb.cert.org/vuls/id/723755 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-287 | Improper Authentication |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
ExploitDB Exploits
id | Description |
---|---|
2011-12-30 | Reaver WiFi Protected Setup Exploit |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
78282 | Multiple Router Wi-Fi Protected Setup (WPS) Protocol External Registrar Authe... |
Alert History
Date | Informations |
---|---|
2016-04-27 00:51:08 |
|
2013-05-11 00:57:19 |
|