-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.0712.2
        Cisco Wi-Fi Protected Network and Wi-Fi Protected Network 2
                   Information Disclosure Vulnerability
                               26 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Wi-Fi Products
Publisher:         Cisco Systems
Operating System:  Cisco
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
                   Reduced Security         -- Remote/Unauthenticated
Resolution:        None
CVE Names:         CVE-2019-15126  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-wi-fi-info-disclosure

Revision History:  March    26 2020: Cisco is aware of a proof-of-concept
                                     exploit which is publicly available.
                   February 28 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Wi-Fi Protected Network and Wi-Fi Protected Network 2 Information Disclosure
Vulnerability

Priority:        Medium
Advisory ID:     cisco-sa-20200226-wi-fi-info-disclosure
First Published: 2020 February 27 00:00 GMT
Last Updated:    2020 March 25 20:58 GMT
Version 1.1:     Interim
Workarounds:     No workarounds available

CVE-2019-15126
CWE-326

Summary

  o 
    On February 26th, 2020, researchers Stefan Svorencik and Robert Lipovsky
    disclosed a vulnerability in the implementation of the wireless egress
    packet processing of certain Broadcom Wi-Fi chipsets. This vulnerability
    could allow an unauthenticated, adjacent attacker to decrypt Wi-Fi frames
    without the knowledge of the Wireless Protected Access (WPA) or Wireless
    Protected Access 2 (WPA2) Pairwise Temporal Key (PTK) used to secure the
    Wi-Fi network.

    The vulnerability exists because after an affected device handles a
    disassociation event it could send a limited number of Wi-Fi frames
    encrypted with a static, weak PTK. An attacker could exploit this
    vulnerability by acquiring these frames and decrypting them with the static
    PTK. A successful exploit could allow the attacker to decrypt Wi-Fi frames
    without the knowledge of the security session establishment used to secure
    the Wi-Fi network.

    Multiple Cisco wireless products are affected by this vulnerability.

    Cisco will release software updates that address this vulnerability. There
    are no workarounds that address this vulnerability.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20200226-wi-fi-info-disclosure

Affected Products

  o Cisco is investigating its product line to determine which products may be
    affected by this vulnerability. As the investigation progresses, Cisco will
    update this advisory with information about affected products, including
    the ID of the Cisco bug for each affected product.

    For information about whether a product is affected by this vulnerability,
    refer to the Vulnerable Products and Products Confirmed Not Vulnerable 
    sections of this advisory. The Vulnerable Products section includes Cisco
    bug IDs for each affected product. The bugs are accessible through the
    Cisco Bug Search Tool and contain additional platform-specific information,
    including workarounds (if available) and fixed software releases.

    Vulnerable Products

                       Product                     Cisco Bug    Fixed Release
                                                       ID       Availability
              Routing and Switching - Enterprise and Service Provider
    Cisco Connected Grid Routers                   CSCvs87927
                      Routing and Switching - Small Business
    Cisco RV160x and RV260x VPN Routers            CSCvt23810
    Cisco RV340W Dual WAN Gigabit Wireless-AC VPN  CSCvs87875
    Router
    Cisco Small Business RV Series RV110W          CSCvs87870
    Wireless-N VPN Firewall
    Cisco Small Business RV Series RV215W          CSCvs87874
    Wireless-N VPN Router
    Cisco Small Business RV130 Series VPN Routers  CSCvs87871
    Cisco WAP125 Wireless-AC Dual Band Desktop     CSCvs87868
    Access Point with PoE
    Cisco WAP150 Wireless-AC/N Dual Radio Access   CSCvs87877
    Point with PoE
    Cisco WAP361 Wireless-AC/N Dual Radio Wall     CSCvs87877
    Plate Access Point with PoE
    Cisco WAP571 Wireless-AC/N Premium Dual Radio  CSCvs93095
    Access Point with PoE
    Cisco WAP571E Wireless-AC/N Premium Dual Radio CSCvs93095
    Outdoor Access Point
                     Voice and Unified Communications Devices
    Cisco IP Phone 8861                            CSCvs87895
    Cisco Wireless IP Phone 8821                   CSCvs87896
              Video, Streaming, TelePresence, and Transcoding Devices
    Cisco Webex Board (all models)                 CSCvs91690
    Cisco Webex Desk Pro                           CSCvs91690
    Cisco Webex Room Series                        CSCvs91690
                                     Wireless
    Cisco Catalyst 9115 Series Wi-Fi 6 Access      CSCvs87888
    Points
    Cisco Catalyst 9120 Series Access Points       CSCvs87888
    Cisco Small Business 100 Series Wireless-N     CSCvs87879
    Access Points
    Cisco Small Business 300 Series Wireless-N     CSCvs87879
    Access Points

    Products Under Investigation

    Voice and Unified Communications Devices

       DX650 IP Phones - Running Android-based firmware

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Endpoint Clients and Client Software

       Cisco AnyConnect Secure Mobility Client - Network Access Manager

    Routing and Switching - Enterprise and Service Provider

       Cisco 829 Industrial Integrated Services Routers
       Cisco c800 Series Integrated Services Routers

    Routing and Switching - Small Business

       Cisco RV132W ADSL2+ Wireless-N VPN Router
       Cisco RV134W VDSL2 Wireless-AC VPN Router

    Voice and Unified Communications Devices

       Cisco IP Phone 8800 Series with Multiplatform Firmware
       Cisco Unified IP Phone 8961
       Cisco Unified IP Phone 9951
       Cisco Unified IP Phone 9971
       Cisco Unified Wireless IP Phone 7925 and 7926

    Video, Streaming, TelePresence, and Transcoding Devices

       Cisco TelePresence MX Series
       Cisco TelePresence Profile Series
       Cisco TelePresence SX Series
       Cisco TelePresence System EX Series
       Cisco Telepresence Integrator C Series
       Cisco Vision Dynamic Signage Director - SV-4K digital media player

    Wireless

       Cisco Wireless LAN Controller
       Cisco Aironet 1560 Series Access Points
       Cisco Aironet 1810 Series OfficeExtend Access Points
       Cisco Aironet 1810w Series Access Points
       Cisco Aironet 1815 Series Access Points
       Cisco Aironet 1830 Series Access Points
       Cisco Aironet 1850 Series Access Points
       Cisco Aironet 2800 Series Access Points
       Cisco Aironet 3800 Series Access Points

Details

  o When a disassociation event is triggered, an affected device will delete
    the user-configured PTK as part of a sequence of cleanup operations. A
    number of Wi-Fi frames still buffered in the hardware egress queue could
    then be transmitted while encrypted with a static, weak PTK.

    There are two ways to acquire Wi-Fi frames encrypted with the static PTK:

       Triggering the disassociation event by injecting malicious packets into
        the wireless network and capturing the frames sent after the event.
       Passively listening to traffic from the wireless network and capturing
        the frames sent after a disassociation event.

    The frames affected by the weak encryption are the only ones present in the
    hardware egress buffer during the processing of a disassociation event.
    Further frames will not be accepted or queued. Under no circumstances can
    the attacker control the content or number of frames. This limits the
    information that can be obtained in case of successful exploitation of the
    vulnerability described in this advisory.

Workarounds

  o There are no workarounds that address this vulnerability.

Fixed Software

  o When considering software upgrades , customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page , to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Fixed Releases

    See the Details section in the bug ID(s) in the Vulnerable Products section
    for the most complete and current information.

Exploitation and Public Announcements

  o The vulnerability described in this advisory was discussed during the RSA
    conference of February 26, 2020.

    The Cisco Product Security Incident Response Team (PSIRT) is aware that
    proof-of-concept exploit code is available for the vulnerability that is
    described in this advisory.

    Cisco PSIRT is not aware of any malicious use of the vulnerability that is
    described in this advisory.

Source

  o Security researchers Stefan Svorencik and Robert Lipovsky of ESET have
    reported this vulnerability to the Industry Consortium for Advancement of
    Security on the Internet (ICASI).

    Cisco collaborated with ICASI during the investigation and disclosure of
    this vulnerability. More information can be found at http://www.icasi.org

Cisco Security Vulnerability Policy

  o To learn about Cisco security vulnerability disclosure policies and
    publications, see the Security Vulnerability Policy . This document also
    contains instructions for obtaining fixed software and receiving security
    vulnerability information from Cisco.

URL

  o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
    cisco-sa-20200226-wi-fi-info-disclosure

Revision History

  o +---------+--------------------------+------------+---------+-------------+
    | Version |       Description        |  Section   | Status  |    Date     |
    +---------+--------------------------+------------+---------+-------------+
    | 1.0     | Initial public release.  | -          | Interim | 2020-FEB-26 |
    +---------+--------------------------+------------+---------+-------------+
    |         | Updated Vulnerable       |            |         |             |
    |         | Products, Products       | Vulnerable |         |             |
    |         | Confirmed Not            | Products,  |         |             |
    | 1.1     | Vulnerable, and included | Products   | Interim | 2020-MAR-25 |
    |         | information about        | Confirmed  |         |             |
    |         | publicly available code  | Not        |         |             |
    |         | to exploit this          | Vulnerable |         |             |
    |         | vulnerability.           |            |         |             |
    +---------+--------------------------+------------+---------+-------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXnwUzmaOgq3Tt24GAQg3EQ//Yfn146mVM+hSRthP6QqPJB3FrfMa+EOB
qocqIElYoTeWzH4NKcb6mcHlnNkAYzXdt0qKg4vFcovd2RMaqZguO9GSiITGTVEj
CUIA7NxleGVrPozPsIvES9vUNU2m9JxSof2BRm2dGwgKr1vo1+ppaq1ZmKfC2Ecu
sj+sdxaYrNRLWK0UVqg//bMYE130qpnD2i/P5ow+frFhFIaWr+6rtic5oZoeeDsN
flQp7ePv8W7aRDhFJcZNFx1vLOmXi2IPc54SQJBeKypJqYtRJ9m4iYDOUmJFI/iA
mB6Tcj/DTAf72MkczxonSCtRiIoDS+WDjzO7/vfqxWjl1x54k3PErnfkSsiRvYS2
v4hAauBJod6+o3r7piXUTNpPuY4N/FGZlgubDi+WLneEPcSxP7nIA0d7wW2ULcc4
ijumGeh2DlOEiz8gqi+OcPlbIqcbTvb9e1pTR1tMBH+21CPN8QgTfNALtW+oKk8w
rdgxZSRURR6Nuow6dUUOtMvs72UwWO24JklIJb81Cf3riu+eutMh/3tDH72cv1EP
aiWT+AAzTFYvTieq8ebkS+IvbwJJv/FMhJK+wRpXWEHM3DkjGVE5IkwxAgGwk+qn
dXKxhqks30J/Eki/viR2CB4Y9R+MYQh8ulMbJ4v6pLEyux06bddNQ3aP/cub2xWX
QYutSUehfP0=
=ARcY
-----END PGP SIGNATURE-----