ID

VAR-201211-0048


CVE

CVE-2012-4366


TITLE

plural Belkin Wireless Router Network access vulnerabilities in products

Trust: 0.8

sources: JVNDB: JVNDB-2012-005440

DESCRIPTION

Belkin wireless routers Surf N150 Model F7D1301v1, N900 Model F9K1104v1, N450 Model F9K1105V2, and N300 Model F7D2301v1 generate a predictable default WPA2-PSK passphrase based on eight digits of the WAN MAC address, which allows remote attackers to access the network by sniffing the beacon frames. Belkin offers a variety of wireless router devices. The Belkin wireless routing device prints the network name (ESSID) and the seemingly random password on the bottom of the device. Although the manufacturer's default WPA2-PSK password is more secure than the user setting, the Belkin default password is calculated only for the device. Multiple Belkin Wireless Routers are prone to a security vulnerability that may allow attackers to generate a default WPA2 password. Successfully exploiting this issue may allow attackers to generate the default WPA2 passwords. This may lead to other attacks. The following products are affected: Belkin Surf N150 F7D1301v1 Belkin N900 F9K1104v1 Belkin N450 F9K1105V2. Background Belkin ships many wireless routers with an encrypted wireless network configured by default. II. Description of vulnerability Having a preconfigured randomly generated WPA2-PSK passphrase for wireless routers is basically a good idea since a vendor-generated passphrase can be much more secure than most user-generated passwords. Each of the eight characters of the default passphrase are created by substituting a corresponding hex-digit of the wan mac address using a static substitution table. Moreover, the default WPA2-PSK passphrase solely consists of 8 hexadecimal digits, which means that the entropy is limited to only 32 bits (or 33 bits since some models use uppercase hex digits). After sniffing one successful association of a client to the wireless network, an attacker can carry out an offline brute-force attack to crack the password. The program oclhashcat-plus can try 131,000 passwords per second on one high end GPU (AMD Radeon hd7970) [1]. Doing a full search of the 32-bit key space takes about 9 hours at this rate. III. Impact An attacker can exploit this vulnerability to calculate the WPA2-PSK passphrase of a wireless network. This allows sniffing and decrypting all wireless traffic in a purely passive attack given that the attacker has also sniffed the association. The attacker may also connect to the wireless network, which may allow further exploitation of unprotected systems in the local network. An attacker may furthermore use the wireless network to access the internet from the owner's network. The network owner may then be held responsible for any illegal activities perpetrated by the unauthorized users. IV. Affected devices Belkin Surf N150 Model F7D1301v1 The official Belkin support page [2] contains pictures of the label of several other WiFi devices, which show that the following devices are vulnerable as well: Belkin N900 Model F9K1104v1 Belkin N450 Model F9K1105V2 The following device uses a variation of the algorithm and the password consists of uppercase hex digits. When using our algorithm with the wlan mac of the device, the first 5 digits of the password are calculated correctly. It is likely that the algorithm differs only in the tables used. Belkin N300 Model F7D2301v1 It is likely that other Belkin devices are affected as well. Unfortunately, Belkin has not yet cooperated with us to fix the vulnerability and/or confirm a list of other affected devices. V. Solution Users of potentially affected wireless routers should change the wireless passphrase to something more secure. VI. Timeline 6.1.2012: Vendor contacted 27.1.2012: Escalated 29.10.2012: Another contact attempt, still no response 19.11.2012: Public disclosure VII. Credits Jakob Lell J\xf6rg Schneider VIII. References Advisory location: http://www.jakoblell.com/blog/?p=15 CVE-2012-4366: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4366 [1] http://hashcat.net/oclhashcat-plus/ [2] http://en-us-support.belkin.com/app/answers/detail/a_id/6989

Trust: 2.7

sources: NVD: CVE-2012-4366 // JVNDB: JVNDB-2012-005440 // CNVD: CNVD-2012-6597 // BID: 56591 // VULHUB: VHN-57647 // VULMON: CVE-2012-4366 // PACKETSTORM: 118208

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2012-6597

AFFECTED PRODUCTS

vendor:belkinmodel:n450 wireless routerscope:eqversion:f9k1105v2

Trust: 2.4

vendor:belkinmodel:n150 wireless routerscope:eqversion:f7d1301v1

Trust: 1.6

vendor:belkinmodel:n900 wireless routerscope:eqversion:f9k1104v1

Trust: 1.6

vendor:belkinmodel:n300 wireless routerscope:eqversion:f7d2301v1

Trust: 1.6

vendor:belkinmodel:advance n900 dual-band wireless routerscope:eqversion:f9k1104v1

Trust: 0.8

vendor:belkinmodel:n150 wireless home network routerscope:eqversion:f7d1301v1

Trust: 0.8

vendor:belkinmodel:n300 wi-fi n routerscope:eqversion:f7d2301v1

Trust: 0.8

vendor:belkinmodel:surf n150 model f7d1301v1scope: - version: -

Trust: 0.6

vendor:belkinmodel:n900 model f9k1104v1scope: - version: -

Trust: 0.6

vendor:belkinmodel:n450 model f9k1105v2scope: - version: -

Trust: 0.6

vendor:belkinmodel:n300 model f7d2301v1scope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2012-6597 // JVNDB: JVNDB-2012-005440 // CNNVD: CNNVD-201211-353 // NVD: CVE-2012-4366

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2012-4366
value: LOW

Trust: 1.0

NVD: CVE-2012-4366
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201211-353
value: LOW

Trust: 0.6

VULHUB: VHN-57647
value: LOW

Trust: 0.1

VULMON: CVE-2012-4366
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2012-4366
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: CVE-2012-4366
severity: MEDIUM
baseScore: 5.8
vectorString: AV:A/AC:L/AU:N/C:P/I:P/A:P
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-57647
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-57647 // VULMON: CVE-2012-4366 // JVNDB: JVNDB-2012-005440 // CNNVD: CNNVD-201211-353 // NVD: CVE-2012-4366

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.1

problemtype:CWE-255

Trust: 0.8

sources: VULHUB: VHN-57647 // JVNDB: JVNDB-2012-005440 // NVD: CVE-2012-4366

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201211-353

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201211-353

CONFIGURATIONS

sources: JVNDB: JVNDB-2012-005440

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-57647 // VULMON: CVE-2012-4366

PATCH

title:Top Pageurl:http://www.belkin.com/

Trust: 0.8

title: - url:https://github.com/nameisnithin/nithin

Trust: 0.1

title:PSKrackerurl:https://github.com/bitwisebill/PSKracker

Trust: 0.1

title: - url:https://github.com/yadau/wireless-network-security-assessment

Trust: 0.1

title: - url:https://github.com/madhankumar9182/wireless-network-security

Trust: 0.1

title:PSKrackerurl:https://github.com/soxrok2212/PSKracker

Trust: 0.1

title:Crippledurl:https://github.com/Konsole512/Crippled

Trust: 0.1

sources: VULMON: CVE-2012-4366 // JVNDB: JVNDB-2012-005440

EXTERNAL IDS

db:NVDid:CVE-2012-4366

Trust: 3.6

db:BIDid:56591

Trust: 1.5

db:JVNDBid:JVNDB-2012-005440

Trust: 0.8

db:CNNVDid:CNNVD-201211-353

Trust: 0.7

db:CNVDid:CNVD-2012-6597

Trust: 0.6

db:BUGTRAQid:20121119 CVE-2012-4366: INSECURE DEFAULT WPA2 PASSPHRASE IN MULTIPLE BELKIN WIRELESS ROUTERS

Trust: 0.6

db:PACKETSTORMid:118208

Trust: 0.2

db:EXPLOIT-DBid:38164

Trust: 0.2

db:VULHUBid:VHN-57647

Trust: 0.1

db:VULMONid:CVE-2012-4366

Trust: 0.1

sources: CNVD: CNVD-2012-6597 // VULHUB: VHN-57647 // VULMON: CVE-2012-4366 // BID: 56591 // JVNDB: JVNDB-2012-005440 // PACKETSTORM: 118208 // CNNVD: CNNVD-201211-353 // NVD: CVE-2012-4366

REFERENCES

url:http://archives.neohapsis.com/archives/bugtraq/2012-11/0070.html

Trust: 1.8

url:http://www.jakoblell.com/blog/2012/11/19/cve-2012-4366-insecure-default-wpa2-passphrase-in-multiple-belkin-wireless-routers/

Trust: 1.8

url:http://www.securityfocus.com/bid/56591

Trust: 1.3

url:https://exchange.xforce.ibmcloud.com/vulnerabilities/80157

Trust: 1.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4366

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-4366

Trust: 0.8

url:http://seclists.org/bugtraq/2012/nov/69

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/310.html

Trust: 0.1

url:https://github.com/nameisnithin/nithin

Trust: 0.1

url:https://github.com/bitwisebill/pskracker

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.exploit-db.com/exploits/38164/

Trust: 0.1

url:http://hashcat.net/oclhashcat-plus/

Trust: 0.1

url:http://www.jakoblell.com/blog/?p=15

Trust: 0.1

url:http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4366

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2012-4366

Trust: 0.1

url:http://en-us-support.belkin.com/app/answers/detail/a_id/6989

Trust: 0.1

sources: CNVD: CNVD-2012-6597 // VULHUB: VHN-57647 // VULMON: CVE-2012-4366 // JVNDB: JVNDB-2012-005440 // PACKETSTORM: 118208 // CNNVD: CNNVD-201211-353 // NVD: CVE-2012-4366

CREDITS

Jakob Lell and Jörg Schneider

Trust: 0.3

sources: BID: 56591

SOURCES

db:CNVDid:CNVD-2012-6597
db:VULHUBid:VHN-57647
db:VULMONid:CVE-2012-4366
db:BIDid:56591
db:JVNDBid:JVNDB-2012-005440
db:PACKETSTORMid:118208
db:CNNVDid:CNNVD-201211-353
db:NVDid:CVE-2012-4366

LAST UPDATE DATE

2024-11-23T22:13:54.734000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2012-6597date:2012-11-21T00:00:00
db:VULHUBid:VHN-57647date:2017-08-29T00:00:00
db:VULMONid:CVE-2012-4366date:2017-08-29T00:00:00
db:BIDid:56591date:2012-11-19T00:00:00
db:JVNDBid:JVNDB-2012-005440date:2012-11-21T00:00:00
db:CNNVDid:CNNVD-201211-353date:2012-11-20T00:00:00
db:NVDid:CVE-2012-4366date:2024-11-21T01:42:45.723

SOURCES RELEASE DATE

db:CNVDid:CNVD-2012-6597date:2012-11-21T00:00:00
db:VULHUBid:VHN-57647date:2012-11-20T00:00:00
db:VULMONid:CVE-2012-4366date:2012-11-20T00:00:00
db:BIDid:56591date:2012-11-19T00:00:00
db:JVNDBid:JVNDB-2012-005440date:2012-11-21T00:00:00
db:PACKETSTORMid:118208date:2012-11-19T21:56:52
db:CNNVDid:CNNVD-201211-353date:2012-11-20T00:00:00
db:NVDid:CVE-2012-4366date:2012-11-20T00:55:01.010