VN-2020-001 - Wireless "Kr00K" Security Advisory
- Article Type:
- Vulnerability Notice
- Article Number:
- Last Modified:
A new vulnerability affecting Broadcom wireless chips has been released by security researchers from ESET. This vulnerability has been given the name "Kr00k" and is being tracked as CVE-2019-15126. The CVSS score is 3.1 (low), but significant media attention has been given to this vulnerability due to the breadth of devices that are potentially impacted. The vulnerability itself involves a static hard-coded encryption key of all zeroes leading to potential information disclosure for a limited set of WiFI traffic.
Products Potentially Affected
HiveOS 10.0r8 and 8.2r6 - vulnerable, but will be fixed in 10.0r8a and 8.2.r7 respectively
HiveOS 6.5r12 - vulnerable on the AP130, AP230 and AP1130 only but EOL on these models and customers should upgrade to 8.2r7 or 10.0r8a when released.
HiveOS 10.1r3 March 2020
HiveOS 10.1r5 June 2020
HiveOS 8.2r7 April 2020
HiveOS 10.0r8a June 2020
AP305C/AP410C HiveOS 10.1r3
AP650/AP510C will be 10.0r9a or 10.1r5
WiNG 7.3.1 and onwards are not affected
WiNG 7.3.0 – WiNG 184.108.40.206 in April 2020
WiNG 220.127.116.11 will contain the patch - March 2020 (aligned with XCA 4.56.09)
WING 5.8 and 5.9 - vulnerable. Patch releases will be made as follows:
AP510i/e, AP560i/h - vulnerable fixed in WiNG 18.104.22.168
AP8533, AP8432 – vulnerable fixed in WiNG 5.8 or WiNG 5.9 above
AP7532/AP7522/AP7562 - vulnerable fixed in WiNG 5.8 or WiNG 5.9 above
AP7622/02 - vulnerable is fixed in WiNG 22.214.171.124
AP3912/3915/3916/3917/3935/3965/7612/7632/7662/8163 - not affected
AP3801/3805/3825/3865- not affected
AP6532/22 – not affected
Upgrading to patch releases is the best path to fixing the vulnerability. However, as noted above, Kr00k is a low-severity vulnerability, and most application layer traffic is also encrypted anyway independently of the WiFi layer. This helps to mitigate the risk, and is one reason the CVSS score is low.
This advisory notice is provided on an “as is” basis and Extreme Networks makes no representations or warranties of any kind, expressly disclaiming the warranties of merchantability or fitness for a particular use. Use of the information provided herein or materials linked from this advisory notice is at your own risk. Extreme Networks reserves the right to change or update this document at any time, and expects to update this document as new information becomes available. The information provided herein is applicable to current Extreme Networks products identified herein and is not intended to be any representation of future functionality or compatibility with any third-party technologies referenced herein. This notice shall not change any contract or agreement that you have entered into with Extreme Networks.