At the RSA 2020 security conference in San Francisco researchers from a Slovak antivirus company, ESET,  presented details about a new Wi-Fi communications vulnerability. Kr00k – formally known as CVE-2019-15126 – is a vulnerability in Broadcom and Cypress Wi-Fi radio chips that allow unauthorized decryption of some WPA2-encrypted traffic.

First, the bad news, this vulnerability affects all unpatched devices that use these chipsets, and it literally affects billion of Wi-Fi client devices, including Amazon Echos and Kindles, Apple iPhones and iPads, Samsung Galaxy devices and many more. Additionally, this vulnerability affects the radios in many access points, including some models of Extreme APs that use a Broadcom chipset.

Now the good news, this vulnerability is low-risk, and there is no reason to panic because simple firmware patches will address the problem. The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS assigns severity scores to vulnerabilities, which helps responders prioritize responses to security threats. As you can see in Figure 1, the CVSS score of 3.1 for Kr00K is considered low. For reference purposes, the KRACKattack discovered by Belgian researchers Mathy Vanhoef and Frank Piessens in 2017 has a medium security risk severity score of 6.8

Even though Kr00k is a low-risk vulnerability, rest assured that Extreme Networks and our peers in the industry take this risk very seriously. We are already working on patches for our affected APs, and we will have updates to address this vulnerability very soon. To stay updated on affected APs and the soon to be delivered patches, please reference this Extreme Networks Security Advisory: http://bit.ly/Kr00K

What exactly are the risks due to Kr00k vulnerability? Without getting too detailed, this vulnerability can be exploited during a MAC-level process known as disassociation, which is the very short window of time when a client and AP terminate a Wi-Fi connection between the two devices. During disassociation of the Wi-Fi client, encryption keys are deleted immediately and replaced by an all-zeros key. The hardware does not accept further Wi-Fi traffic for transmission, but traffic already in the transmission queue is not flushed immediately. For a brief instance, frames already buffered in the hardware transmit queue will be encrypted using the all-zeros key and then transmitted. An attacker monitoring this transmission could decrypt a few frames. In other words, the worst-case scenario is that only a few frames are decrypted, so the risk of exposure of any vital information is minimal. However, a black-hat attacker could gain access to several kilobytes of sensitive data, especially if the attacker initiated the disassociation process repeatedly.

Also, Kr00k is not tied to either an 802.1X or PSK password. Therefore, the vulnerability does not affect password security, and changing it does not hamper the ability of attackers trying to exploit the vulnerability. Also, be aware that implementing management frame protection (MFP) does not prevent this attack. The resolution is a firmware patch. Full details about Kr00k are available from ESET at https://www.eset.com/int/kr00k/.

Now let’s talk about what the Kr00K vulnerability does not put at risk. An attacker CANNOT accomplish any of the following:

  • Corrupt AP memory
  • Create AP buffer overflows
  • Insert or execute malware code onto the AP
  • Inject data frames
  • Obtain the original encryption key
  • Decrypt any other frames other than the few frames from the short disassociation event
  • Decrypt packets protected by SSL/TLS encryption

Much like all Wi-Fi security vulnerabilities and attacks, the actual risks and potential threats tend to be amplified by the media. And due to the bombastic nature of the Internet, sometimes disinformation causes unneeded worry and panic. I am sure everyone reading this blog has also been closely following the news about the public health threat from Coronavirus (COVID 19), which continues to spread globally. Sadly, there have already been some misguided analogies between Kr00k and the Coronavirus. Let us try and keep everything in perspective. 

Originally published on the Extreme Networks Blog, by David Coleman, March 3, 2020

Share