Wi-Fi Protected Network and Wi-Fi Protected Network 2 Information Disclosure Vulnerability

On February 26th, 2020, researchers Štefan Svorencík and Robert Lipovsky disclosed a vulnerability in the implementation of the wireless egress packet processing of certain Broadcom Wi-Fi chipsets. This vulnerability could allow an unauthenticated, adjacent attacker to decrypt Wi-Fi frames without the knowledge of the Wireless Protected Access (WPA) or Wireless Protected Access 2 (WPA2) Pairwise Temporal Key (PTK) used to secure the Wi-Fi network.

The vulnerability exists because after an affected device handles a disassociation event it could send a limited number of Wi-Fi frames encrypted with a static, weak PTK. An attacker could exploit this vulnerability by acquiring these frames and decrypting them with the static PTK. A successful exploit could allow the attacker to decrypt Wi-Fi frames without the knowledge of the security session establishment used to secure the Wi-Fi network.

Multiple Cisco wireless products are affected by this vulnerability.

Cisco will release software updates that address this vulnerability. There are no workarounds that addresses this vulnerability.

This advisory is available at the following link:

Security Impact Rating: Medium

CVE: CVE-2019-15126


  • No Related Posts

Offline Cryptographic Attacks Targeting the Wi-Fi Protected Access 2 Protocol

On August 4, 2018, Jens Steube from the Hashcat project published an article introducing a new method to obtain cryptographic information from wireless traffic that can then be used by an attacker to attempt the offline recovery of the preshared key (PSK) used to secure a Wi-Fi network.

Both the Wi-Fi Protected Access (WPA) and the Wi-Fi Protected Access 2 (WPA2) protocols are known to be susceptible to offline cryptographic attacks when a PSK is used as an authentication mechanism. This is not a new vulnerability or a new attack against these protocols. This is a new vector that allows an attacker to obtain the information required to attempt an offline attack against the PSK.

This new method is different from the existing attacks against the PSK because it does not require an attacker to wait for an Extensible Authentication Protocol over LAN (EAPOL) authentication exchange, capture it, and proceed to attempt an offline PSK recovery. This new vector allows an attacker to extract the required information from a single wireless frame transmitted during a roaming event. The following conditions for this capture apply:

  • The frame contains a Robust Security Network-Pairwise Master Key Identification (RSN-PMKID) option
  • The wireless infrastructure is configured to use WPA2 with a PSK mode of authentication
  • The wireless infrastructure supports the Proactive Key Caching (PKC) fast roaming option (PMKID roaming)

The wireless frame can be acquired by passively listening to traffic from the wireless network during the roaming.

It is important to note that this method does not make it easier or faster to recover the PSK for a Wi-Fi network. Instead, it is easier for an attacker to collect the information required to conduct a subsequent offline cryptographic attack. The likelihood of a successful recovery of the PSK is highly dependent on the complexity of the PSK in use.

This advisory is available at the following link:

Security Impact Rating: Informational


  • No Related Posts

Building the 5G Foundation – Enterprise Private Mobility-as-a-Service

Progressive enterprises are pursuing software-defined solutions with operating models powered by analytics, automation and machine communications to improve productivity, service-levels and cost structures. With hundreds of devices and sensors connecting to a network, wired connections are becoming expensive. At the same time, the mobile networks are not ready for the massive connections and the data associated with these connections coming their way. Using conventional unlicensed methods such as Wi-Fi to address the coverage and capacity is not necessarily ideal for some mission critical workloads.  This is because: Wi-Fi is designed as a “best effort” service, it … READ MORE


  • No Related Posts

VDA registration failure over WAN

Collected Wireshark traces from VDA and DDC simultaneously while restarting the Citrix Desktop Service on VDA.

Found below highlighted things were modified by Riverbed device before network packets reaches from VDA to DDC

1. Sequence number was changed.

2. Packet payload length was modified.

3. Riverbed probe was added to the TCP options

4. Packet was detected by Wireshark as malformed packet.

VDA Snippet

User-added image

DDC Snippet

User-added image


  • No Related Posts