D-Link Forums

Announcements => Security Advisories => Topic started by: GreenBay42 on March 06, 2020, 08:15:26 AM

Title: Krk: Serious vulnerability affected encryption of billion+ Wi‑Fi devices
Post by: GreenBay42 on March 06, 2020, 08:15:26 AM
For the latest information regarding Krook's impact on D-Link products, please visit https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10162 (https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10162)

D-Link Response:
ESET researchers recently reported that an industry-wide vulnerability named Krk could potentially affect devices with Broadcom Wi-Fi chips. D-Link is currently investigating the issue with Broadcom to understand the potential impact on D-Link devices. Meanwhile, we strongly advise D-Link device owners use encrypted connection methods such as HTTPS, SSH, or POP3S to minimize their risk of being hacked. We will provide updates as soon as we have more information.
D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. Please check the D-Link website for updates regularly.

ESET Article: https://www.welivesecurity.com/2020/02/26/krook-serious-vulnerability-affected-encryption-billion-wifi-devices/ (https://www.welivesecurity.com/2020/02/26/krook-serious-vulnerability-affected-encryption-billion-wifi-devices/)

Tests confirmed that prior to patching, some client devices by Amazon (Echo, Kindle), Apple (iPhone, iPad, MacBook), Google (Nexus), Samsung (Galaxy), Raspberry (Pi 3), Xiaomi (RedMi), as well as some access points by Asus and Huawei, were vulnerable to Krk. This totaled to over a billion Wi-Fi-capable devices and access points, at a conservative estimate. Further, many other vendors whose products we did not test also use the affected chipsets in their devices.

The vulnerability affects both WPA2-Personal and WPA2-Enterprise protocols, with AES-CCMP encryption.

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-15126 (https://nvd.nist.gov/vuln/detail/CVE-2019-15126)
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15126 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15126)