MITRE: CVE-2019-15126 Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device

2023-02-1408:00:00

Microsoft

msrc.microsoft.com

3.1 Low

CVSS3

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

2.9 Low

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:A/AC:M/Au:N/C:P/I:N/A:N

0.007 Low

EPSS

Percentile

79.5%

JSON

An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic.

Broadcom no longer supports their hardware on any Windows platforms. As such there is no security update available to address this vulnerability. We recommend that customers using HoloLens 1 devices with this WiFi client device do the following to protect themselves from this vulnerability:

Update Wi-Fi routers to mitigate security vulnerabilities (for example, FragAttacks).
Use WPA2-Enterprise with certificate-based authentication for HoloLens Wi-Fi.
Don’t connect your HoloLens device to untrusted Wi-Fi networks.
Don’t reuse Wi-Fi passwords.
Don’t use plain text HTTP connection.
Enable Kiosk mode on your HoloLens device and prevent users from using apps that expose URL links.