Attacker Value

Low

(1 user assessed)

Exploitability

High

(1 user assessed)

User Interaction

CVE-2019-15126 aka Kr00k

Disclosure Date: February 05, 2020 •

CVE-2019-15126 CVSS v3 Base Score: 3.1

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic, a different vulnerability than CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503.

Add Assessment

busterb (317)

February 27, 2020 2:53pm UTC (4 years ago)•Edited 4 years ago

Ratings

Attacker Value

Low

Exploitability

High

Common in enterprise Easy to weaponize Requires physical access

Technical Analysis

The TL;DR from the technical whitepaper found here: https://www.welivesecurity.com/wp-content/uploads/2020/02/ESET_Kr00k.pdf

If there are outbound TX queue packets for certain common WiFi devices, and a disassociation management packet is sent, the device will clear the encryption key to all zeros, and send the remaining packet data in the queue with that hardcoded key. If an attacker can send diassociate packets and then listen for any residual data frames, they can decrypt whatever traffic remains in the TX queue on those devices, which may be a few hundred packets depending on the data rate involved.

While this seems like a real risk, I’m firmly in the camp that relying on the physical layer in the first place for data protection is misguided, and that really end-to-end security is still the only way to – Wifi has proven over and over to be a weak security boundary. By the time this is wide-spread fixed, we’ll all be using DNS-over-HTTPS by force from browsers anyway. So, from an end-point consumer PoV, this isn’t a big deal. Not any worse that connecting to that unencrypted hotel network you may have used earlier.

Some potential future vuln predictions here: https://twitter.com/vanhoefm/status/1232738451587555328

Thinking through situations where an attacker might find this useful would be in physically accessing business-local OT networks, like point-of-sale, manufacturing, or other squishy-on-the-inside networks. Expect to see this show up in the next Wifi Pineapple release or in your next pen test physical engagement report.

See More &1 replySee Less

busterb (317) February 27, 2020 2:56pm UTC (4 years ago)

I wonder if simply ignoring deauth frames would be enough to also mitigate this, as in the stayauth option on OpenBSD:: https://man.openbsd.org/ifconfig

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

3.1 Low

Impact Score:

1.4

Exploitability Score:

1.6

Vector:

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector (AV):

Adjacent_network

Attack Complexity (AC):

High

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

Low

Integrity (I):

None

Availability (A):

None

References

Rapid7

Low