Low
CVE-2019-15126 aka Kr00k
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Low
(1 user assessed)High
(1 user assessed)CVE-2019-15126 aka Kr00k
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic, a different vulnerability than CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503.
Add Assessment
Ratings
-
Attacker ValueLow
-
ExploitabilityHigh
Technical Analysis
The TL;DR from the technical whitepaper found here: https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf
If there are outbound TX queue packets for certain common WiFi devices, and a disassociation management packet is sent, the device will clear the encryption key to all zeros, and send the remaining packet data in the queue with that hardcoded key. If an attacker can send diassociate packets and then listen for any residual data frames, they can decrypt whatever traffic remains in the TX queue on those devices, which may be a few hundred packets depending on the data rate involved.
While this seems like a real risk, I’m firmly in the camp that relying on the physical layer in the first place for data protection is misguided, and that really end-to-end security is still the only way to – Wifi has proven over and over to be a weak security boundary. By the time this is wide-spread fixed, we’ll all be using DNS-over-HTTPS by force from browsers anyway. So, from an end-point consumer PoV, this isn’t a big deal. Not any worse that connecting to that unencrypted hotel network you may have used earlier.
Some potential future vuln predictions here: https://twitter.com/vanhoefm/status/1232738451587555328
Thinking through situations where an attacker might find this useful would be in physically accessing business-local OT networks, like point-of-sale, manufacturing, or other squishy-on-the-inside networks. Expect to see this show up in the next Wifi Pineapple release or in your next pen test physical engagement report.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- apple,
- broadcom
Products
- bcm43012 firmware -,
- bcm43013 firmware -,
- bcm4356 firmware -,
- bcm4375 firmware -,
- bcm43752 firmware -,
- bcm4389 firmware -,
- ipados,
- iphone os,
- mac os x
References
Advisory
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
I wonder if simply ignoring deauth frames would be enough to also mitigate this, as in the stayauth option on OpenBSD:: https://man.openbsd.org/ifconfig