Details of an authentication bypass vulnerability present in multiple wireless router chipsets have been set out in an advisory published by
Synopsys CyRC. Referred to as CVE-2019-18989, CVE-2019-18990 and CVE-2019-18991, the vulnerability affects a variety of chipsets in different devices across three manufacturers:
Mediatek,
Qualcomm and
Realtek.
Attackers can exploit the partial authentication bypass vulnerability by injecting packets into a WPA2-protected network without knowledge of the preshared key. These packets are subsequently routed through the network in the same way valid packets would be. While responses to the injected packets return encrypted, attackers can eventually find out if the injected packets successfully reached an active system because they have control of what is sent through the network.
Synopsys also detailed a proof-of-concept example, in which it opened a UDP port in the router’s NAT by injecting UDP packets into a vulnerable WPA2-protected network. It said an attacker-controlled host listening on a defined UDP port can then receive the packets when they pass through the public internet. This host can then use this opened UDP port to communicate back to the vulnerable network.
The Synopsys researchers explained: “An attacker can arbitrarily send unencrypted packets and receive encrypted responses. These unencrypted packets are sent from a spoofed MAC address. The vulnerable access point does not drop the plain-text packets and routes them to the network as though they were valid. Response is also received back, but that is encrypted. The only requirement is that there is another properly authenticated client connected to WPA2 network.” They added: “End users with access points that include the identified chipset and firmware versions are strongly encouraged to upgrade as quickly as possible or replace vulnerable access points with another access point.”