Kr00k vulnerabilities / CVE-2019-15126 / CVE-2020-3702

Baptiste Jonglez baptiste at bitsofnetworks.org
Tue Aug 25 12:42:35 EDT 2020


Hi,

Detailed information about the kr00k vulnerabilities is hard to find.
Here is a WIP recap about it and whether/how OpenWrt is vulnerable.

It's missing lots of information, please contribute if you have any.

I will summarize the results in a wiki page afterwards.


Kr00k v1 (CVE-2019-15126)
=========================

It affects Broadcom / Cypress chips.

https://www.eset.com/int/kr00k/
https://www.welivesecurity.com/2020/02/26/krook-serious-vulnerability-affected-encryption-billion-wifi-devices/


Kr00k v2 (CVE-2020-3702)
========================

It affects Mediatek / Qualcomm chips.

https://www.securityweek.com/qualcomm-mediatek-wi-fi-chips-vulnerable-kr00k-attacks
https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/


Other links
===========

Repro script: https://github.com/eset/malware-research/tree/master/kr00k
	 
OpenWrt bug report: https://bugs.openwrt.org/index.php?do=details&task_id=3300


Patch status of mac80211
========================

Three fixes are mentioned here: https://www.mail-archive.com/ath10k@lists.infradead.org/msg12635.html

The fixes are included in linux v5.6.  Two of them were backported in 4.19.X
(a4f68ecf733635 and d34dce8d3dbfa7) and released in 4.19.114.

I didn't find a 4.19 backport for the last one ("mac80211: drop data frames
without key on encrypted links")

Assuming the three fixes are enough:

- OpenWrt master: OK (we are using mac80211 5.8)

- OpenWrt 19.07: OK for 2/3 fixes (19.07.3 uses mac80211 4.19.120)

- OpenWrt 18.06: NOK (mac80211 version is 2017-11-01, I'm not sure where
  it comes from but it's definitely 3 years old)


Patch status of ath9k
=====================

??


Patch status of ath10k
======================

??


Patch status for mediatek chips
===============================

??


Patch status for broadcom chips
===============================

??

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200825/538cbb7e/attachment.sig>


More information about the openwrt-devel mailing list