Skip to main content

 

Cisco Meraki Documentation

FullMAC Wi-Fi chipsets vulnerability (kr00k)

Vulnerability Summary

A security vulnerability known as kr00k (CVE ID: CVE-2019-15126, CVSSv3 Base Score: 3.1) was disclosed for Broadcom Wi-Fi client devices on February 26th, 2020. Certain Cisco Meraki products from the MR product family (MR26, MR32, MR34 and MR72) and MX product family (MX64W and MX65W) use these impacted Broadcom chips and are affected by this vulnerability. 

 

This vulnerability could allow a malicious party within the physical range of a Wi-Fi network to capture and decrypt a small amount of sensitive wireless network data at a time. Kr00k does not allow for a full compromise of user communications. If a user's communications are already encrypted, such as visiting websites using HTTPS or using a VPN, those communications still remain encrypted. We have applied Broadcom’s supplied fix internally, but we are still testing to ensure stability and performance. Please see the Fix Information section below for details about the fix’s availability. 

Vulnerability Information

The vulnerability exists due to a bug in how devices with an affected Broadcom chip handle Wi-Fi disassociation events. After a WLAN session is disassociated, a vulnerable device could send a limited number of Wi-Fi data frames encrypted with a static, weak encryption key. An attacker could exploit this vulnerability by acquiring these data frames over time, or by triggering dissociation events, and then decrypting the collected data.

Scope

Affected Cisco Meraki Products: 

  • MR26       

  • MR32       

  • MR34       

  • MR72    

  • MX64W       

  • MX65W

Impact

The bug described by CVE-2019-15126 could allow a malicious party within the range of a Wi-Fi Protected Access 2 (WPA2) network to capture and decrypt several kilobytes of potentially sensitive wireless network packets at a time. In a Wi-Fi WPA2 network, data transferred between devices and access points is encrypted. The kr00k vulnerability could allow for an attacker to capture and read several kilobytes of potentially sensitive data from the network at a time. The specific data exposed would be random, not controlled by the attacker, and based on what was being transferred wirelessly at the time between connected devices. However, a malicious party could repeat collection steps to acquire additional data. 

 

The information revealed over time to a malicious attacker would be similar to what they would see on an open WLAN network without WPA2. It is important to note that successful exploitation of this vulnerability does not allow for a full compromise of user communications. If a user's communications are already encrypted, such as visiting websites using HTTPS or using a VPN, those communications still remain secure.

Fix Information

We have applied Broadcom’s supplied fix internally to our firmware, but we are still testing to ensure stability and performance. We are unfortunately limited in our ability to provide specific dates on when these fixes will become generally available, this page will be updated as additional information becomes available.

 

Please see the table below for fix information for each affected product: 

Product Line Fixed Releases
MR26           
MR32           
MR34           
MR72
Version Fixed In: MR 26.8 or later
 
MX64W           
MX65W
Version Fixed In: MX 15.28 Beta or later

Note: This section will be updated with additional fix information when it becomes available.

Mitigation

There are no mitigations for this vulnerability, a firmware upgrade is required.

 

 


FAQ 

Is Cisco Meraki aware of any exploitation or public discussion of this vulnerability?

There has been public discussion of this vulnerability, as it affects a large range of devices which use the vulnerable Broadcom chip. Researchers also presented publicly about this vulnerability at the RSA Security Conference in February 2020. There are publically available proof of concepts for this vulnerability.

 

How was this vulnerability found?

This vulnerability was discovered by third party researchers at ESET while they were examining Amazon Echoes and Kindles. They presented their research at the RSA Security Conference in February 2020. 

 

How complex is it to execute this exploit?

The Common Vulnerability Scoring System (CVSS) base score for this vulnerability has an attack complexity of High, but the public availability of proof of concept code does decrease the practical complexity of exploiting kr00k. It is important to note that it is not possible to exploit this vulnerability from a fully remote location, a malicious attacker would need to place their own device within the physical range of a target Wi-Fi network in order to exploit this vulnerability.


Are there steps I can take now?

There are no mitigations for this vulnerability, a firmware upgrade is required.

 

How do I secure my network against these vulnerabilities?

Cisco Meraki strongly recommends that affected customers promptly schedule and apply firmware upgrades as they are released.

 

How can I upgrade my firmware to a fixed release?

Customers can use the Firmware Upgrade Tool to schedule firmware upgrades. We have a document detailing this tool here.

 

Are there any devices that will not have the fix available?

No. When the fix is available, all currently supported Cisco Meraki devices will receive the firmware.

  • Was this article helpful?