“Shark on the Router” (Authentication Bypass in Wireless Router Chipsets)

Multiple wireless router chipsets were discovered to be vulnerable to authentication bypass, giving a threat actor control of network traffic passing through the affected device(s). A successful attack occurs when an attacker injects arbitrary (unencrypted) packets into networks with WPA2 protection. Upon injection, the packets are considered to be legitimately routed traffic and encrypted responses are received.

This attack is especially dangerous because the attacker doesn’t require any knowledge of the pre-negotiated key used in the network encryption. In addition to controlling traffic on a network, the attacker can determine whether their packets successfully reach an active system.

The following chipsets were identified to be at risk:

Mediatek:

• Chipset: MT7620N
• Devices tested: D-Link DWR-116 V1.06(EU)

Qualcomm (Atheros):

• Chipset: AR9132
• Devices tested: Zyxel NBG460N V3.60(AMX.8)
• Chipset: AR9283
• Devices tested: Buffalo WHR-G300N V2 V1.85 (R1.18/B1.03)
• Chipset: AR9285
• Devices tested: Netgear WNR1000 V.1.0.0.12NA

Realtek:

• Chipset: RTL8812AR
• Devices tested: D-Link DIR-850L V1.21WW
• Chipset: RTL8196D
• Devices tested: Netwjork N+4G V1.0.0
• Chipset: RTL8881AN
• Devices tested: D-Link DIR-809 Rev A3 V1.09 Rev A2
• Chipset: RTL8192ER
• Devices tested: D-Link DIR-605L H/W: B2 V2.10

The remediation:

Patches for devices including the chipset are available for Mediatek and Realtek and must be requested from the respective manufacturers. However, Qualcomm (Atheros) has issued a statement saying they have discontinued the affected chipsets and have verified that their currently supported chipsets are not affected by the vulnerability. Those using the identified chipset and firmware versions are encouraged to upgrade as soon as possible or replace vulnerable access points (especially in the case of the obsolete Qualcomm devices).

Source: Security Boulevard