CVE-2020-25853 - OpenCVE

The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Realtek	Rtl8195a Rtl8195a Firmware

Configuration 1 [-]

AND

cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: VDOO

Published: 2021-02-03T16:49:20

Updated: 2021-02-03T16:49:20

Reserved: 2020-09-23T00:00:00

Link: CVE-2020-25853

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-02-03T17:15:14.187

Modified: 2021-02-08T18:23:25.117

Link: CVE-2020-25853

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Realtek RTL8195A Wi-Fi Module", "vendor": "n/a", "versions": [{"status": "affected", "version": "Versions before 2020-04-21 (up to and excluding 2.08)"}]}], "descriptions": [{"lang": "en", "value": "The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-126", "description": "Stack buffer over-read (CWE-126)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-03T16:49:20", "orgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24", "shortName": "VDOO"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "vuln@vdoo.com", "ID": "CVE-2020-25853", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Realtek RTL8195A Wi-Fi Module", "version": {"version_data": [{"version_value": "Versions before 2020-04-21 (up to and excluding 2.08)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Stack buffer over-read (CWE-126)"}]}]}, "references": {"reference_data": [{"name": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/", "refsource": "CONFIRM", "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"}]}}}}, "cveMetadata": {"assignerOrgId": "6b4ace4a-d6e0-415b-9ce8-aa20e97e4b24", "assignerShortName": "VDOO", "cveId": "CVE-2020-25853", "datePublished": "2021-02-03T16:49:20", "dateReserved": "2020-09-23T00:00:00", "dateUpdated": "2021-02-03T16:49:20", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:realtek:rtl8195a_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "24D4DC02-E833-483C-885F-9E168E5F8A4C", "versionEndExcluding": "2.08", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:realtek:rtl8195a:-:*:*:*:*:*:*:*", "matchCriteriaId": "62A37D39-5134-4AFE-9F59-C8C36A113B04", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The function CheckMic() in the Realtek RTL8195A Wi-Fi Module prior to versions released in April 2020 (up to and excluding 2.08) does not validate the size parameter for an internal function, _rt_md5_hmac_veneer() or _rt_hmac_sha1_veneer(), resulting in a stack buffer over-read which can be exploited for denial of service. An attacker can impersonate an Access Point and attack a vulnerable Wi-Fi client, by injecting a crafted packet into the WPA2 handshake. The attacker does not need to know the network's PSK."}, {"lang": "es", "value": "La funci\u00f3n CheckMic() en el m\u00f3dulo Wi-Fi Realtek RTL8195A anterior a versiones publicadas en Abril de 2020 (hasta y excluyendo la 2.08), no comprueba el par\u00e1metro size para una funci\u00f3n interna, _rt_md5_hmac_veneer() o _rt_hmac_sha1_veneer(), resulta en una lectura excesiva del b\u00fafer de pila que puede ser explotada para una denegaci\u00f3n de servicio. Un atacante puede hacerse pasar por un Access Point y atacar a un cliente Wi-Fi vulnerable al inyectar un paquete dise\u00f1ado en el protocolo de enlace WPA2. El atacante no necesita conocer el PSK de la red"}], "id": "CVE-2020-25853", "lastModified": "2021-02-08T18:23:25.117", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-03T17:15:14.187", "references": [{"source": "vuln@vdoo.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered/"}], "sourceIdentifier": "vuln@vdoo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-126"}], "source": "vuln@vdoo.com", "type": "Secondary"}]}