PEPPERL+FUCHS Kr00k vulnerabilities in Broadcom Wi-Fi chipsets

VDE-2020-014 (2020-03-31 16:30 UTC+0200)

CVE Identifier

CVE-2019-15126

Affected Vendors

PEPPERL+FUCHS

Affected Products

Tab-Ex 02 <= v01.03.2020

Vulnerability Type

Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)

Summary

Security researchers at ESET have reported a vulnerability called Kr00k (CVE-2019- 15126) which affects encrypted WiFi traffic for devices using Broadcom or Cypress chipsets. The vulnerability may allow an attacker to decrypt some WPA2- Personal/Enterprise traffic by forcing an AP/client to start utilizing an all-zero encryption key (similar to KRACK vulnerability).

Impact

Pepperl+Fuchs analyzed its ECOM branded mobile device portfolio in respect of the 'Kr00k' vulnerabilities. To our current knowledge only Tab-Ex 02 is potentially affected by these vulnerabilities. Devices with security patch level <= 01.03.2020 are affected.

Solution

Pepperl+Fuchs is continuously and rigorously working closely with our partner to patch all affected Devices.

Update for Tab-Ex 02 is planned for 05/2020.

ECOM mobile devices are normally used in the corporate network. This implies that outgoing connections and local software installations have to be configured by administrators. It should be ensured that the data connections are additionally encrypted, e.g. HTTPS or SSH.

Reported by

Security researchers at ESET.