Kr00k vulnerabilities / CVE-2019-15126 / CVE-2020-3702
Baptiste Jonglez
baptiste at bitsofnetworks.org
Tue Aug 25 12:42:35 EDT 2020
Hi,
Detailed information about the kr00k vulnerabilities is hard to find.
Here is a WIP recap about it and whether/how OpenWrt is vulnerable.
It's missing lots of information, please contribute if you have any.
I will summarize the results in a wiki page afterwards.
Kr00k v1 (CVE-2019-15126)
=========================
It affects Broadcom / Cypress chips.
https://www.eset.com/int/kr00k/
https://www.welivesecurity.com/2020/02/26/krook-serious-vulnerability-affected-encryption-billion-wifi-devices/
Kr00k v2 (CVE-2020-3702)
========================
It affects Mediatek / Qualcomm chips.
https://www.securityweek.com/qualcomm-mediatek-wi-fi-chips-vulnerable-kr00k-attacks
https://www.welivesecurity.com/2020/08/06/beyond-kr00k-even-more-wifi-chips-vulnerable-eavesdropping/
Other links
===========
Repro script: https://github.com/eset/malware-research/tree/master/kr00k
OpenWrt bug report: https://bugs.openwrt.org/index.php?do=details&task_id=3300
Patch status of mac80211
========================
Three fixes are mentioned here: https://www.mail-archive.com/ath10k@lists.infradead.org/msg12635.html
The fixes are included in linux v5.6. Two of them were backported in 4.19.X
(a4f68ecf733635 and d34dce8d3dbfa7) and released in 4.19.114.
I didn't find a 4.19 backport for the last one ("mac80211: drop data frames
without key on encrypted links")
Assuming the three fixes are enough:
- OpenWrt master: OK (we are using mac80211 5.8)
- OpenWrt 19.07: OK for 2/3 fixes (19.07.3 uses mac80211 4.19.120)
- OpenWrt 18.06: NOK (mac80211 version is 2017-11-01, I'm not sure where
it comes from but it's definitely 3 years old)
Patch status of ath9k
=====================
??
Patch status of ath10k
======================
??
Patch status for mediatek chips
===============================
??
Patch status for broadcom chips
===============================
??
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200825/538cbb7e/attachment.sig>
More information about the openwrt-devel
mailing list