Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0712
Cisco Wi-Fi Protected Network and Wi-Fi Protected Network 2
Information Disclosure Vulnerability
28 February 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Cisco Wi-Fi Products
Publisher: Cisco Systems
Operating System: Cisco
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: None
CVE Names: CVE-2019-15126
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200226-wi-fi-info-disclosure
- --------------------------BEGIN INCLUDED TEXT--------------------
Wi-Fi Protected Network and Wi-Fi Protected Network 2 Information Disclosure
Vulnerability
Priority: Medium
Advisory ID: cisco-sa-20200226-wi-fi-info-disclosure
First Published: 2020 February 27 00:00 GMT
Version 1.0: Interim
Workarounds: No workarounds available
CVE-2019-15126
CWE-326
Summary
o
On February 26th, 2020, researchers Stefan Svorencik and Robert Lipovsky
disclosed a vulnerability in the implementation of the wireless egress
packet processing of certain Broadcom Wi-Fi chipsets. This vulnerability
could allow an unauthenticated, adjacent attacker to decrypt Wi-Fi frames
without the knowledge of the Wireless Protected Access (WPA) or Wireless
Protected Access 2 (WPA2) Pairwise Temporal Key (PTK) used to secure the
Wi-Fi network.
The vulnerability exists because after an affected device handles a
disassociation event it could send a limited number of Wi-Fi frames
encrypted with a static, weak PTK. An attacker could exploit this
vulnerability by acquiring these frames and decrypting them with the static
PTK. A successful exploit could allow the attacker to decrypt Wi-Fi frames
without the knowledge of the security session establishment used to secure
the Wi-Fi network.
Multiple Cisco wireless products are affected by this vulnerability.
Cisco will release software updates that address this vulnerability. There
are no workarounds that addresses this vulnerability.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20200226-wi-fi-info-disclosure
Affected Products
o Cisco is investigating its product line to determine which products may be
affected by this vulnerability. As the investigation progresses, Cisco will
update this advisory with information about affected products, including
the ID of the Cisco bug for each affected product.
For information about whether a product is affected by this vulnerability,
refer to the Vulnerable Products and Products Confirmed Not Vulnerable
sections of this advisory. The Vulnerable Products section includes Cisco
bug IDs for each affected product. The bugs are accessible through the
Cisco Bug Search Tool and contain additional platform-specific information,
including workarounds (if available) and fixed software releases.
Vulnerable Products
Product Cisco Bug
ID
Routing and Switching - Enterprise and Service Provider
Cisco Connected Grid Routers CSCvs87927
Routing and Switching - Small Business
Cisco RV340W Dual WAN Gigabit Wireless-AC VPN Router CSCvs87875
Cisco Small Business RV Series RV110W Wireless-N VPN Firewall CSCvs87870
Cisco Small Business RV Series RV215W Wireless-N VPN Router CSCvs87874
Cisco Small Business RV130 Series VPN Routers CSCvs87871
Cisco WAP125 Wireless-AC Dual Band Desktop Access Point with CSCvs87868
PoE
Cisco WAP150 Wireless-AC/N Dual Radio Access Point with PoE CSCvs87877
Cisco WAP361 Wireless-AC/N Dual Radio Wall Plate Access Point CSCvs87877
with PoE
Cisco WAP571 Wireless-AC/N Premium Dual Radio Access Point with CSCvs93095
PoE
Cisco WAP571E Wireless-AC/N Premium Dual Radio Outdoor Access CSCvs93095
Point
Cisco WAP581 Wireless-AC Dual Radio Wave 2 Access Point CSCvs87868
Voice and Unified Communications Devices
Cisco Wireless IP Phone 8821 CSCvs87896
Wireless
Cisco Catalyst 9115 Series Wi-Fi 6 Access Points CSCvs87888
Cisco Catalyst 9120 Series Access Points CSCvs87888
Products Under Investigation
Voice and Unified Communications Devices
Cisco DX70, DX80, and DX650 IP Phones - Running Android-based firmware
Cisco IP Phone 8861
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Endpoint Clients and Client Software
Cisco AnyConnect Secure Mobility Client - Network Access Manager
Routing and Switching - Enterprise and Service Provider
Cisco 829 Industrial Integrated Services Routers
Cisco c800 Series Integrated Services Routers
Routing and Switching - Small Business
Cisco RV132W ADSL2+ Wireless-N VPN Router
Cisco RV134W VDSL2 Wireless-AC VPN Router
Voice and Unified Communications Devices
Cisco IP Phone 8800 Series with Multiplatform Firmware
Cisco Unified IP Phone 8961
Cisco Unified IP Phone 9951
Cisco Unified IP Phone 9971
Cisco Unified Wireless IP Phone 7925 and 7926
Cisco Webex Board (formerly Cisco Spark Board)
Video, Streaming, TelePresence, and Transcoding Devices
Cisco TelePresence MX Series
Cisco TelePresence Profile Series
Cisco TelePresence SX Series
Cisco TelePresence System EX Series
Cisco Telepresence Integrator C Series
Cisco Vision Dynamic Signage Director - SV-4K digital media player
Wireless
Cisco Wireless LAN Controller
Cisco Aironet 1560 Series Access Points
Cisco Aironet 1810 Series OfficeExtend Access Points
Cisco Aironet 1810w Series Access Points
Cisco Aironet 1815 Series Access Points
Cisco Aironet 1830 Series Access Points
Cisco Aironet 1850 Series Access Points
Cisco Aironet 2800 Series Access Points
Cisco Aironet 3800 Series Access Points
Details
o When a disassociation event is triggered, an affected device will delete
the user-configured PTK as part of a sequence of cleanup operations. A
number of Wi-Fi frames still buffered in the hardware egress queue could
then be transmitted while encrypted with a static, weak PTK.
There are two ways to acquire Wi-Fi frames encrypted with the static PTK:
Triggering the disassociation event by injecting malicious packets into
the wireless network and capturing the frames sent after the event.
Passively listening to traffic from the wireless network and capturing
the frames sent after a disassociation event.
The frames affected by the weak encryption are the only ones present in the
hardware egress buffer during the processing of a disassociation event.
Further frames will not be accepted or queued. Under no circumstances can
the attacker control the content or number of frames. This limits the
information that can be obtained in case of successful exploitation of the
vulnerability described in this advisory.
Workarounds
o There are no workarounds that address this vulnerability.
Fixed Software
o When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories and Alerts page , to determine exposure and a
complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Fixed Releases
See the Details section in the bug ID(s) in the Vulnerable Products section
for the most complete and current information.
Exploitation and Public Announcements
o The vulnerability described in this advisory was discussed during the RSA
conference of February 26, 2020.
The Cisco Product Security Incident Response Team (PSIRT) is not aware of
any public announcements or malicious use of the vulnerability that is
described in this advisory.
Source
o Security researchers Stefan Svorencik and Robert Lipovsky of ESET have
reported this vulnerability to the Industry Consortium for Advancement of
Security on the Internet (ICASI).
Cisco collaborated with ICASI during the investigation and disclosure of
these vulnerabilities. More information can be found at http://
www.icasi.org
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/
cisco-sa-20200226-wi-fi-info-disclosure
Revision History
o +----------+---------------------------+----------+--------+--------------+
| Version | Description | Section | Status | Date |
+----------+---------------------------+----------+--------+--------------+
| 1.0 | Initial public release. | - | Final | 2020-FEB-26 |
+----------+---------------------------+----------+--------+--------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXlhYi2aOgq3Tt24GAQh67Q//QYgsL4cpn5fF15kmUhFXsXDcyLSVoc32
B9tXy9aGfPRcKwPNN3+YxJAUxwvP5jygS1CidbLxooETB7L9jRa4/T7CrWPdE9N/
BLOAF0CxkgX9R9UBw+FrJQq+lVfIGgyaJg+NH1BAdrIYA2DlaGrAPIaS4DTd98t5
3aiE3BbIgMKU/59kgIyomHIMIn2FbOsjX0Zct4Un6NkWkVcoi1ITPpvUQ25abZ7f
YnxmKhL4MH626NoNjzq7BGT2JSZE+3c8s4o2EdQq5m5R1ql288Lj7Y3CLEv6ma/f
ngu5yMYwCntZ6/yrjaLh8PdRhrHOiP3eAmydM0EIRgy/vNRXAEucYXJjaidxlyBW
Z33Jv6h8y6fadq2YWqr0Z+eDyEOJYEOkbEwqQcpu7TuZ2YhlIUdKIAxDehm1uTL/
G3ikgtC22eksJfe30qSx9GvyuWmhVZCARXCMQSUGCnynp4u0GZS9gGoPjW/t3QeA
fxz3XowhHM/n212kdifJHMmWjkrZSAH8oRkO34wMZZkPidJhrBvo0EcldxfMPvEK
dMpCMwyj82udgJYe9oIG0QGATz165GVyR7oS/0C9qV4LXaaqVtXW1yGgz0y1aNYL
gyCASlDyuR/SM2KCy22yy83LayrmAN8staR5BCDLBEhX345++b6V2+82SxVyuSNu
X3pLKzrTzag=
=Igpw
-----END PGP SIGNATURE-----