2.9
CVSSv2

CVE-2019-15126

Published: 05/02/2020 Updated: 27/02/2020
CVSS v2 Base Score: 2.9 | Impact Score: 2.9 | Exploitability Score: 5.5
Vector: AV:A/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Summary

An issue exists on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic, a different vulnerability than CVE-2019-9500, CVE-2019-9501, CVE-2019-9502, and CVE-2019-9503.

Vulnerability Trend

Affected Products

Vendor Product Versions
AppleIpad Os13.1.1, 13.1.2, 13.1.3
AppleIphone Os1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 2.0, 2.0.0, 2.0.1, 2.0.2, 2.1, 2.1.1, 2.2, 2.2.1, 3.0, 3.0.1, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.2, 3.2.1, 3.2.2, 4.0, 4.0.1, 4.0.2, 4.1, 4.2.1, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 5.0, 5.0.1, 5.1, 5.1.1, 6.0, 6.0.1, 6.0.2, 6.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 7.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.1, 7.1.1, 7.1.2, 8.0, 8.0.1, 8.0.2, 8.1, 8.1.1, 8.1.2, 8.1.3, 8.2, 8.3, 8.4, 8.4.1, 9.0, 9.0.1, 9.0.2, 9.1, 9.2, 9.2.1, 9.3, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 10.0, 10.0.1, 10.0.2, 10.0.3, 10.1, 10.1.1, 10.2, 10.2.1, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 11, 11.0, 11.0.1, 11.0.2, 11.0.3, 11.1, 11.1.1, 11.1.2, 11.2, 11.2.1, 11.2.2, 11.2.5, 11.2.6, 11.3, 11.3.1, 11.4, 11.4.1, 12.0, 12.0.1, 12.1, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.2, 12.3, 12.3.1, 12.3.2, 12.4, 12.4.1, 13.0, 13.1, 13.1.1, 13.1.2, 13.1.3
AppleMac Os X-, 10.0, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.1, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.2, 10.2.0, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.2.8, 10.3, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, 10.3.7, 10.3.8, 10.3.9, 10.4, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 10.4.7, 10.4.8, 10.4.9, 10.4.10, 10.4.11, 10.5, 10.5.0, 10.5.1, 10.5.2, 10.5.3, 10.5.4, 10.5.5, 10.5.6, 10.5.7, 10.5.8, 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.6.4, 10.6.5, 10.6.6, 10.6.7, 10.6.8, 10.7.0, 10.7.1, 10.7.2, 10.7.3, 10.7.4, 10.7.5, 10.8.0, 10.8.1, 10.8.2, 10.8.3, 10.8.4, 10.8.5, 10.9, 10.9.1, 10.9.2, 10.9.3, 10.9.4, 10.9.5, 10.10.0, 10.10.1, 10.10.2, 10.10.3, 10.10.4, 10.10.5, 10.11.0, 10.11.1, 10.11.2, 10.11.3, 10.11.4, 10.11.5, 10.11.6, 10.12, 10.12.0, 10.12.1, 10.12.2, 10.12.3, 10.12.4, 10.12.5, 10.12.6, 10.13, 10.13.0, 10.13.1, 10.13.2, 10.13.3, 10.13.4, 10.13.5, 10.13.6, 10.14, 10.14.1, 10.14.2, 10.14.4, 10.14.5, 10.14.6, 10.15
BroadcomBcm43012 Firmware-
BroadcomBcm43013 Firmware-
BroadcomBcm4356 Firmware-
BroadcomBcm43752 Firmware-
BroadcomBcm4375 Firmware-
BroadcomBcm4389 Firmware-

Vendor Advisories

On February 26th, 2020, researchers Štefan Svorencík and Robert Lipovsky disclosed a vulnerability in the implementation of the wireless egress packet processing of certain Broadcom Wi-Fi chipsets This vulnerability could allow an unauthenticated, adjacent attacker to decrypt Wi-Fi frames without the knowledge of the Wireless Protected Access (W ...
After getting aware that security researchers discovered the vulnerability (CVE-2019-15126) named Kr00k in Wi-Fi chips by Broadcom and Cypress, Huawei has started investigation immediately The investigation is still underway, and Huawei PSIRT will keep updating this SN Please stay tuned for more information ...

Exploits

# Kr00ker # # Experimetal KR00K PoC in python3 using scapy # # Description: # This script is a simple experiment to exploit the KR00K vulnerability (CVE-2019-15126), # that allows to decrypt some WPA2 CCMP data in vulnerable devices # More specifically this script attempts to retrieve Plaintext Data of WPA2 CCMP packets knowning: # * the TK (128 ...

Mailing Lists

Broadcom Wi-Fi device KR00K information disclosure proof of concept exploit It works on WPA2 AES CCMP with Frequency 24GHz WLANs ...

Github Repositories

PoC exploit for the CVE-2019-15126 kr00k vulnerability

PoC of CVE-2019-15126 kr00k vulnerability

An experimental script PoC for Kr00k vulnerability (CVE-2019-15126)

First commit (the script was tested on vulnerable devices iPhone 6s and Samsung Galaxy S5)

Recent Articles

Bored during lockdown? Why not try out these data-spilling KrØØk Wi-Fi bug exploits against your nearby devices
The Register • Shaun Nichols in San Francisco • 20 Mar 2020

It's not like you can snoop on anyone right now anyway, right?

Proof-of-concept exploit code has emerged for last month's data-leaking KrØØk vulnerability present in a billion-plus Wi-Fi-connected devices and computers.
The team at infosec outfit Hexway told The Register on Friday it has crafted a working exploit for the flaw which is present in equipment that uses Broadcom's communications chipsets. This design blunder can be abused by nearby miscreants to snatch snapshots of private data, such as web requests, messages, and passwords, over the air...

Wi-Fi of more than a billion PCs, phones, gadgets can be snooped on. But you're using HTTPS, SSH, VPNs... right?
The Register • Shaun Nichols in San Francisco • 27 Feb 2020

Encryption keys forced to zero by chip-level KrØØk flaw

A billion-plus computers, phones, and other devices are said to suffer a chip-level security vulnerability that can be exploited by nearby miscreants to snoop on victims' encrypted Wi-Fi traffic.
The flaw [PDF] was branded KrØØk by the bods at Euro infosec outfit ESET who discovered it. The design blunder is otherwise known as CVE-2019-15126, and is related to 2017's KRACK technique for spying on Wi-Fi networks.
An eavesdropper doesn't have to be logged into the target device's wir...

Cisco Working on Patches for New Kr00k WiFi Vulnerability
BleepingComputer • Ionut Ilascu • 27 Feb 2020

Cisco today announced that it is working to patch multiple products that are affected by the recently disclosed Kr00k vulnerability in WiFi chips from Broadcom and Cypress.
The flaw (CVE-2019-15126) was announced yesterday by security researchers at ESET and can be leveraged by an unauthenticated attacker to decrypt data frames captured from a nearby vulnerable device.
An attacker exploiting this security vulnerability does not need to know the Wireless Protected Access (WPA) or Wire...

Billions of Devices Open to Wi-Fi Eavesdropping Attacks
Threatpost • Tara Seals • 26 Feb 2020

SAN FRANCISCO — A serious vulnerability in Wi-Fi chips has been discovered that affects billions of devices worldwide, according to researchers. It allows attackers to eavesdrop on Wi-Fi communications.
The bug (CVE-2019-15126) stems from the use of an all-zero encryption key in chips made by Broadcom and Cypress, according to researchers at ESET, which results in data decryption. This breaks the WPA2-Personal and WPA2-Enterprise security protocols.
The vulnerable chips are found i...

KrØØk: Serious vulnerability affected encryption of billion+ Wi‑Fi devices
welivesecurity • Miloš Čermák Robert Lipovsky • 26 Feb 2020

ESET Research has published its latest white paper, KrØØk – CVE-2019-15126: Serious vulnerability deep inside your Wi-Fi encryption. This blogpost summarizes that white paper, authored by researchers Miloš Čermák, Robert Lipovský and Štefan Svorenčík. For more information, readers can also refer to our dedicated webpage.
ESET researchers discovered a previously unknown vulnerability in Wi-Fi chips and named it KrØØk. This serious flaw, assigned CVE-2019-15126, causes vulnerabl...

Kr00k Bug in Broadcom, Cypress WiFi Chips Leaks Sensitive Info
BleepingComputer • Ionut Ilascu • 01 Jan 1970

A vulnerability in some popular WiFi chips present in client devices, routers, and access points, can be leveraged to partially decrypt user communication and expose data in wireless network packets.
The flaw received the name Kr00k and was identified in components from Broadcom and Cypress, which are integrated into mobile phones, tablets, laptops, IoT gadgets. By current conservative estimates, over one billion devices are affected.
Researchers at security company ESET, who found t...