Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0712.3 Cisco Wi-Fi Protected Network and Wi-Fi Protected Network 2 Information Disclosure Vulnerability 30 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Wi-Fi Products Publisher: Cisco Systems Operating System: Cisco Impact/Access: Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: None CVE Names: CVE-2019-15126 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-wi-fi-info-disclosure Revision History: April 30 2020: Vendor udated vulnerable products in advisory March 26 2020: Cisco is aware of a proof-of-concept exploit which is publicly available. February 28 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Wi-Fi Protected Network and Wi-Fi Protected Network 2 Information Disclosure Vulnerability Priority: Medium Advisory ID: cisco-sa-20200226-wi-fi-info-disclosure First Published: 2020 February 27 00:00 GMT Last Updated: 2020 April 28 22:24 GMT Version 1.2: Interim Workarounds: No workarounds available CVE-2019-15126 CWE-326 CVSS Score: 4.3 AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:X Summary o On February 26th, 2020, researchers Stefan Svorencik and Robert Lipovsky disclosed a vulnerability in the implementation of the wireless egress packet processing of certain Broadcom Wi-Fi chipsets. This vulnerability could allow an unauthenticated, adjacent attacker to decrypt Wi-Fi frames without the knowledge of the Wireless Protected Access (WPA) or Wireless Protected Access 2 (WPA2) Pairwise Temporal Key (PTK) used to secure the Wi-Fi network. The vulnerability exists because after an affected device handles a disassociation event it could send a limited number of Wi-Fi frames encrypted with a static, weak PTK. An attacker could exploit this vulnerability by acquiring these frames and decrypting them with the static PTK. A successful exploit could allow the attacker to decrypt Wi-Fi frames without the knowledge of the security session establishment used to secure the Wi-Fi network. Multiple Cisco wireless products are affected by this vulnerability. Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200226-wi-fi-info-disclosure Affected Products o Cisco is investigating its product line to determine which products may be affected by this vulnerability. As the investigation progresses, Cisco will update this advisory with information about affected products, including the ID of the Cisco bug for each affected product. For information about whether a product is affected by this vulnerability, refer to the Vulnerable Products and Products Confirmed Not Vulnerable sections of this advisory. The Vulnerable Products section includes Cisco bug IDs for each affected product. The bugs are accessible through the Cisco Bug Search Tool and contain additional platform-specific information, including workarounds (if available) and fixed software releases. Vulnerable Products Product Cisco Bug Fixed Release ID Availability Routing and Switching - Enterprise and Service Provider Cisco Connected Grid Routers CSCvs87927 Routing and Switching - Small Business Cisco RV160x and RV260x VPN Routers CSCvt23810 Cisco RV340W Dual WAN Gigabit Wireless-AC VPN CSCvs87875 Router Cisco Small Business RV Series RV110W CSCvs87870 Wireless-N VPN Firewall Cisco Small Business RV Series RV215W CSCvs87874 Wireless-N VPN Router Cisco Small Business RV130 Series VPN Routers CSCvs87871 Cisco WAP125 Wireless-AC Dual Band Desktop CSCvs87868 Access Point with PoE Cisco WAP150 Wireless-AC/N Dual Radio Access CSCvs87877 Point with PoE Cisco WAP361 Wireless-AC/N Dual Radio Wall CSCvs87877 Plate Access Point with PoE Cisco WAP571 Wireless-AC/N Premium Dual Radio CSCvs93095 Access Point with PoE Cisco WAP571E Wireless-AC/N Premium Dual Radio CSCvs93095 Outdoor Access Point Voice and Unified Communications Devices Cisco IP Phone 8861 CSCvs87895 Cisco Wireless IP Phone 8821 CSCvs87896 Video, Streaming, TelePresence, and Transcoding Devices Cisco Webex Board (all models) CSCvs91690 Cisco Webex Desk Pro CSCvs91690 Cisco Webex Room Series CSCvs91690 Wireless Cisco Catalyst 9115 Series Wi-Fi 6 Access CSCvs87888 Points Cisco Catalyst 9120 Series Access Points CSCvs87888 Cisco Small Business 100 Series Wireless-N CSCvs87879 Access Points Cisco Small Business 300 Series Wireless-N CSCvs87879 Access Points Cisco Meraki MR26 N/A Cisco Meraki MR32 N/A Cisco Meraki MR34 N/A Cisco Meraki MR72 N/A Security Cisco Meraki MX64W N/A Cisco Meraki MX65W N/A For additional information about the impact of this vulnerability on Cisco Meraki, see the Cisco Meraki Customer Advisories . Products Under Investigation Voice and Unified Communications Devices DX650 IP Phones - Running Android-based firmware Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Endpoint Clients and Client Software Cisco AnyConnect Secure Mobility Client - Network Access Manager Routing and Switching - Enterprise and Service Provider Cisco 829 Industrial Integrated Services Routers Cisco c800 Series Integrated Services Routers Routing and Switching - Small Business Cisco RV132W ADSL2+ Wireless-N VPN Router Cisco RV134W VDSL2 Wireless-AC VPN Router Voice and Unified Communications Devices Cisco IP Phone 8800 Series with Multiplatform Firmware Cisco Unified IP Phone 8961 Cisco Unified IP Phone 9951 Cisco Unified IP Phone 9971 Cisco Unified Wireless IP Phone 7925 and 7926 Video, Streaming, TelePresence, and Transcoding Devices Cisco TelePresence MX Series Cisco TelePresence Profile Series Cisco TelePresence SX Series Cisco TelePresence System EX Series Cisco Telepresence Integrator C Series Cisco Vision Dynamic Signage Director - SV-4K digital media player Wireless Cisco Wireless LAN Controller Cisco Aironet 1560 Series Access Points Cisco Aironet 1810 Series OfficeExtend Access Points Cisco Aironet 1810w Series Access Points Cisco Aironet 1815 Series Access Points Cisco Aironet 1830 Series Access Points Cisco Aironet 1850 Series Access Points Cisco Aironet 2800 Series Access Points Cisco Aironet 3800 Series Access Points Details o When a disassociation event is triggered, an affected device will delete the user-configured PTK as part of a sequence of cleanup operations. A number of Wi-Fi frames still buffered in the hardware egress queue could then be transmitted while encrypted with a static, weak PTK. There are two ways to acquire Wi-Fi frames encrypted with the static PTK: Triggering the disassociation event by injecting malicious packets into the wireless network and capturing the frames sent after the event. Passively listening to traffic from the wireless network and capturing the frames sent after a disassociation event. The frames affected by the weak encryption are the only ones present in the hardware egress buffer during the processing of a disassociation event. Further frames will not be accepted or queued. Under no circumstances can the attacker control the content or number of frames. This limits the information that can be obtained in case of successful exploitation of the vulnerability described in this advisory. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases See the Details section in the bug ID(s) in the Vulnerable Products section for the most complete and current information. Exploitation and Public Announcements o The vulnerability described in this advisory was discussed during the RSA conference of February 26, 2020. The Cisco Product Security Incident Response Team (PSIRT) is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory. Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory. Source o Security researchers Stefan Svorencik and Robert Lipovsky of ESET have reported this vulnerability to the Industry Consortium for Advancement of Security on the Internet (ICASI). Cisco collaborated with ICASI during the investigation and disclosure of this vulnerability. More information can be found at http://www.icasi.org Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20200226-wi-fi-info-disclosure Revision History o +---------+--------------------------+------------+---------+-------------+ | Version | Description | Section | Status | Date | +---------+--------------------------+------------+---------+-------------+ | | Updated Vulnerable | | | | | | Products, and included | | | | | 1.2 | information about the | Vulnerable | Interim | 2020-APR-28 | | | impact of this | Products | | | | | vulnerability on Cisco | | | | | | Meraki products. | | | | +---------+--------------------------+------------+---------+-------------+ | | Updated Vulnerable | | | | | | Products, Products | Vulnerable | | | | | Confirmed Not | Products, | | | | 1.1 | Vulnerable, and included | Products | Interim | 2020-MAR-25 | | | information about | Confirmed | | | | | publicly available code | Not | | | | | to exploit this | Vulnerable | | | | | vulnerability. | | | | +---------+--------------------------+------------+---------+-------------+ | 1.0 | Initial public release. | - | Interim | 2020-FEB-26 | +---------+--------------------------+------------+---------+-------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXqp1OmaOgq3Tt24GAQjTrA/+K92jZXqXl+2bZOci0B0FufPKIdCS0pAN uP7BdPUepbl0j6Cv0fW1LUM+vD4Y6tfLBhvCaReQW2eTeKFWg03JmMqrv2OLGXR7 2ohqSUJtnsjgJcCc6T454qt6C/aVV1xKaKeSqRI2DcPZoCx45uzBeLcODIn52l1N U+DsefKQE/WxVNKPPZos4+LUCFqsbctfKExlgFGd/NoMpMT2nE+38YsrF1iARvob x9wt2pE/sxXKrUFugOZUAd6bTI2+j6RECb8jO/8Us1BEdsx2BQXhH5WbirkgbKMC 2AdVw6IWanbN4G3hdb/Ib99RjZpOxxFBYqsO19DseEHY1uIYEPRNXzi+pTss+Bpw 6jc6EqtbmYprY3SHxZfb9YRiQllwMzw8ua4fOXlgE9tsNglhMwmwRv54vcxPU0Hm D1MJP+Ti155fvxZlp8DXMe/yWjN5DqfWk59Ag1Qyh1yoB3K3VUPDENc9ad+tJ9za 8ErLLlWw5Kj4y3+wVwam9OvRgiW8wsFkIRuxs2PYruCSDxQFoqrwFRANQvpyht32 UYbs+bQz880WfVd9CEQNM2n1JUgsNom8/C9zG94TMLgWch/2Vo2xH+SJ4cz+soDt KNjWcI0gFfTIiTtA1AAWjlLo4hEAFFuph7E0NQlpA4mKSN3r/+ljlxrcPj6AleZm 5cKM6r+yGIA= =g3Vy -----END PGP SIGNATURE-----