A team of researchers from the Synopsys Cybersecurity Research Center (CyRC) discovered a partial authentication bypass vulnerability in multiple wireless router chipsets. The affected ones Synopsys highlighted are MediaTek, Qualcomm (Atheros), and Realtek chipsets in different devices.
The vulnerability allows an attacker to inject packet(s) into a WPA2-protected network without knowledge of the preshared key. Upon injection, these packets are routed through the network as would be valid packets, and responses to the injected packets return encrypted. However, since an attacker can control what is sent through the network, they can eventually ascertain if the injected packets successfully reached an active system.
Overview
CVE-2019-18989, CVE-2019-18990, and CVE-2019-18991 refer to a partial authentication bypass vulnerability that affects the following chipsets in different devices from the listed manufacturers:
- Mediatek:
- Chipset: MT7620N
- Devices tested: D-Link DWR-116 V1.06(EU)
- Qualcomm (Atheros):
- Chipset: AR9132
- Devices tested: Zyxel NBG460N V3.60(AMX.8)
- Chipset: AR9283
- Devices tested: Buffalo WHR-G300N V2 V1.85 (R1.18/B1.03)
- Chipset: AR9285
- Devices tested: Netgear WNR1000 V.1.0.0.12NA
- Realtek:
- Chipset: RTL8812AR
- Devices tested: D-Link DIR-850L V1.21WW
- Chipset: RTL8196D
- Devices tested: Netwjork N+4G V1.0.0
- Chipset: RTL8881AN
- Devices tested: D-Link DIR-809 Rev A3 V1.09 Rev A2
- Chipset: RTL8192ER
- Devices tested: D-Link DIR-605L H/W: B2 V2.10
Note: Synopsys was unable to identify a comprehensive list of vulnerable devices and chipsets. The vulnerable chipsets may be embedded in other devices that Synopsys was unable to acquire.
After completing disclosures with each of these manufacturers, Synopsys confirmed their following responses:
- Mediatek and Realtek: Patches will be made available upon request.
- Qualcomm (Atheros): The identified chipsets have all reached end-of-life and have been discontinued. Currently supported chipsets have all been verified by the manufacturer as unaffected by this vulnerability.
Furthermore, Synopsys engaged all the manufacturers of the tested devices as part of this disclosure. After engaging each manufacturer, Synopsys received a response only from Zyxel. However, Mediatek notified D-Link of this matter during the disclosure process. Both D-Link and Zyxel confirmed patches with the fix exist and will be made available.
Impact
The vulnerability allows an attacker to inject packet(s) into a WPA2-protected network without knowledge of the preshared key. Upon injection, these packets are routed through the network as would be valid packets, and responses to the injected packets return encrypted. However, since an attacker can control what is sent through the network, they can eventually ascertain if the injected packets successfully reached an active system.
For example, as a proof-of-concept, Synopsys researchers were able to open a UDP port in the router’s NAT by injecting UDP packets into a vulnerable WPA2-protected network. The packets route through the public internet and are eventually received by an attacker-controlled host listening on a defined UDP port. After receiving this response, the attacker-controlled host can use this opened UDP port to communicate back to the vulnerable network.
- CVSSv3 overall score: 6.1
- CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
- CWE-287
Technical details
An attacker can arbitrarily send unencrypted packets and receive encrypted responses. These unencrypted packets are sent from a spoofed MAC address. The vulnerable access point does not drop the plain-text packets and routes them to the network as though they were valid. Response is also received back, but that is encrypted. The only requirement is that there is another properly authenticated client connected to WPA2 network.
Remediation
Access point manufacturers that include the identified chipset can request patches from Mediatek and Realtek.
End users with access points that include the identified chipset and firmware versions are strongly encouraged to upgrade as quickly as possible or replace vulnerable access points with another access point.
Discovery credit
A team of researchers from the Synopsys Cybersecurity Research Center (CyRC) in Oulu, Finland, discovered this issue with Defensics 802.11 WPA AP test suite:
- Tuomo Untinen
- Kari Hulkko
Timeline
- Realtek:
- Initial disclosure: March 8, 2019
- Realtek confirms fix is available: September 19, 2019
- Realtek confirms fix will be made available on demand: October 18, 2019
- Qualcomm (Atheros):
- Initial disclosure: April 29, 2019
- Qualcomm (Atheros) states risk acceptance: October 8, 2019
- Qualcomm (Atheros) reaffirms currently supported versions are unaffected: October 29, 2019
- Mediatek:
- Initial disclosure: July 8, 2019
- Mediatek confirms fix is available: September 25, 2019
- Mediatek confirms D-Link has created a patch: November 7, 2019
- Zyxel:
- Initial engagement: November 19, 2019
- Initial disclosure: November 22, 2019
- Zyxel confirms a fix was created: February 3, 2020
- Other access point manufacturers:
- Initial engagement: November 19, 2019
- Follow up: January 7, 2020