Cisco today announced that it is working to patch multiple products that are affected by the recently disclosed Kr00k vulnerability in WiFi chips from Broadcom and Cypress.
The flaw (CVE-2019-15126) was announced yesterday by security researchers at ESET and can be leveraged by an unauthenticated attacker to decrypt data frames captured from a nearby vulnerable device.
Kr00k affects at least 14 Cisco products
An attacker exploiting this security vulnerability does not need to know the Wireless Protected Access (WPA) or Wireless Protected Access 2 (WPA2) keys that secure the network.
Cisco is currently investigating its line of products to identify which ones are vulnerable and so far it came up with the following list:
| Cisco Bug ID | |
|---|---|
| Routing and Switching - Enterprise and Service Provider | |
| Cisco Connected Grid Routers | CSCvs87927 |
| Routing and Switching - Small Business | |
| Cisco RV340W Dual WAN Gigabit Wireless-AC VPN Router | CSCvs87875 |
| Cisco Small Business RV Series RV110W Wireless-N VPN Firewall | CSCvs87870 |
| Cisco Small Business RV Series RV215W Wireless-N VPN Router | CSCvs87874 |
| Cisco Small Business RV130 Series VPN Routers | CSCvs87871 |
| Cisco WAP125 Wireless-AC Dual Band Desktop Access Point with PoE | CSCvs87868 |
| Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE | CSCvs87877 |
| Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point with PoE | CSCvs87877 |
| Cisco WAP571 Wireless-AC/N Premium Dual Radio Access Point with PoE | CSCvs93095 |
| Cisco WAP571E Wireless-AC/N Premium Dual Radio Outdoor Access Point | CSCvs93095 |
| Cisco WAP581 Wireless-AC Dual Radio Wave 2 Access Point | CSCvs87868 |
| Voice and Unified Communications Devices | |
| Cisco Wireless IP Phone 8821 | CSCvs87896 |
| Wireless | |
| Cisco Catalyst 9115 Series Wi-Fi 6 Access Points | CSCvs87888 |
| Cisco Catalyst 9120 Series Access Points | CSCvs87888 |
The company warns that there is no workaround to mitigate the issue and a patch is the only reliable solution. The assessed severity level is medium.
CVE-2019-15126 occurs on devices with WiFi chips from Broadcom or Cypress when they disconnect from their access point; in technical terms, this is known as a disassociation event and can be triggered by an attacker via a deauthentication attack.
During this process, the key that secures WiFi communication is cleared in memory (set to zero). Some WiFi frames still present in the transmit buffer are sent out encrypted with the all-zero key.
Attackers can intercept the frames and decrypt them, potentially extracting sensitive information. By triggering multiple disassociation events, they can acquire more frames and increase their chances of finding important info.
In today's advisory, Cisco describes two methods that can be used to intercept the weakly-encrypted WiFi frames:
Triggering the disassociation event by injecting malicious packets into the wireless network and capturing the frames sent after the event.
Passively listening to traffic from the wireless network and capturing the frames sent after a disassociation event.
ESET researchers disclosed the vulnerability to Broadcom and Cypress, allowing time for a firmware fix to become available and distributed to vendors with affected products.
Before patches emerged, the researchers estimated that there were more than one billion devices vulnerable in the world. The list includes popular products from high-profile companies like Apple, Amazon, Google, Samsun, Asus, Huawei, Xiaomi.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now