AirTight Networks has discovered a vulnerability in WPA2. AirTight will present a public Webinar on August 4 at 11am Pacific Time to detail its findings. [url=https://admin.acrobat.com/_a1013426351/e86663687/event/registration.html]Click here to register[/url].
More about Hole196:
WPA2 Hole196 Vulnerability
WPA2, perceived as the most solid Wi-Fi security protocol, is widely used by enterprises for securing their Wi-Fi networks. But security researchers at AirTight have uncovered a vulnerability called "Hole196" in the WPA2 security protocol that exposes WPA2-secured Wi-Fi networks to malicious insiders. Exploiting the vulnerability, an insider can bypass WPA2 private key encryption and authentication to sniff and decrypt data from other authorized users as well as scan their Wi-Fi devices for vulnerabilities, install malware and possibly compromise those Wi-Fi devices. AirTight researcher, Md. Sohail Ahmad, will be demonstrating this vulnerability at the Black Hat Arsenal and at DEFCON18 in a presentation entitled "WPA Too?!" in Las Vegas on July 29th and July 31th respectively.
Devin Akin's thoughts: http://blog.aerohive.com/blog/?p=342
It seems that WPA2 Hole196 affects only GTK keys, not unicast PTK keys, and expoit could launch insiders only, non-authorized users havn't chance.
Excert from 802.11-2007 page 196:
"8.5.1 Key hierarchy
RSNA defines two key hierarchies:
a) Pairwise key hierarchy, to protect unicast traffic
b) GTK, a hierarchy consisting of a single key to protect multicast and broadcast traffic
NOTE?Pairwise key support with TKIP or CCMP allows a receiving STA to detect MAC address spoofing
and data forgery. The RSNA architecture binds the transmit and receive addresses to the pairwise key. If an
attacker creates an MPDU with the spoofed TA, then the decapsulation procedure at the receiver will generate
an error. GTKs do not have this property."
And phrase from D.Akin's blog: "There will be no drive-by attackers executing this against WPA2-Enterprise networks." is litle bit optimistic.