Read the Synopsys Cybersecurity Research Center’s (CyRC) analysis of CVE-2019-18989, CVE-2019-18990, and CVE-2019-18991.
Note: Synopsys was unable to identify a comprehensive list of vulnerable devices and chipsets. The vulnerable chipsets may be embedded in other devices that Synopsys was unable to acquire.
After completing disclosures with each of these manufacturers, Synopsys confirmed their following responses:
Furthermore, Synopsys engaged all the manufacturers of the tested devices as part of this disclosure. After engaging each manufacturer, Synopsys received a response only from Zyxel. However, Mediatek notified D-Link of this matter during the disclosure process. Both D-Link and Zyxel confirmed patches with the fix exist and will be made available.
The vulnerability allows an attacker to inject packet(s) into a WPA2-protected network without knowledge of the preshared key. Upon injection, these packets are routed through the network as would be valid packets, and responses to the injected packets return encrypted. However, since an attacker can control what is sent through the network, they can eventually ascertain if the injected packets successfully reached an active system.
For example, as a proof-of-concept, Synopsys researchers were able to open a UDP port in the router’s NAT by injecting UDP packets into a vulnerable WPA2-protected network. The packets route through the public internet and are eventually received by an attacker-controlled host listening on a defined UDP port. After receiving this response, the attacker-controlled host can use this opened UDP port to communicate back to the vulnerable network.
An attacker can arbitrarily send unencrypted packets and receive encrypted responses. These unencrypted packets are sent from a spoofed MAC address. The vulnerable access point does not drop the plain-text packets and routes them to the network as though they were valid. Response is also received back, but that is encrypted. The only requirement is that there is another properly authenticated client connected to WPA2 network.
Access point manufacturers that include the identified chipset can request patches from Mediatek and Realtek.
End users with access points that include the identified chipset and firmware versions are strongly encouraged to upgrade as quickly as possible or replace vulnerable access points with another access point.
A team of researchers from the Synopsys Cybersecurity Research Center (CyRC) in Oulu, Finland, discovered this issue with Defensics 802.11 WPA AP test suite:
Public disclosure: September 28, 2020