A team of researchers from Synopsys’ Cybersecurity Research Center (CyRC) in Oulu, Finland have discovered a partial authentication bypass vulnerability in multiple wireless router chipsets from Mediatek, Qualcomm (Atheros), Zyxel and Realtek.
The vulnerability, tracked as CVE-2019-18989, CVE-2019-18990 and CVE-2019-18991, affects Mediatek’s MT7620N chipset, Qualcomm’s AR9132, AR9283 and AR9285 chipsets and Realtek’s RTL8812AR, RTL8196D, RTL8881AN and RTL8192ER chipsets. However, Synopsys was unable to identify a comprehensive list of vulnerable devices and chipsets as numerous wireless routers are affected by this vulnerability.
As part of its disclosure process, Synopsys engaged with all the manufacturers of the devices it tested. After reaching out to each manufacturer, the company only received a response from Zyxel though Mediatek notified D-Link regarding the matter during the disclosure process. Both Zyxel and D-Link confirmed that they have patches ready to fix the issue and these will be made available to their affected customers.
Authentication bypass vulnerability
According to a new blog post from Synopsys, the vulnerability allows an attacker to inject packets into a WPA2-protected network without knowledge of the preshared key.
Upon injection, these packets are routed through the network in the same way valid packets are and responses to the injected packets return encrypted. However, since an attacker exploiting this vulnerability can control what is sent through the network, they would eventually be able to ascertain if the injected packets successfully reached an active system.
As a proof-of-concept, Synopsy researchers were able to open a UDP port in a router’s NAT by injecting UDP packets into a vulnerable WPA2-protected network. The packets were able to route through the public internet before they were eventually received by an attacker-controlled host listening on a defined UDP port. Upon receiving this response, the attacker-controlled host can then use this opened UDP port to communicate back to the vulnerable network.
While access point manufacturers whose devices include the identified chipset can request patches from Mediatek and Realtek, end users with vulnerable access points are strongly encouraged to upgrade their devices as soon as possible or replace vulnerable access points with another access point.