WPS PIN Offline Brute-Force Exploit in Askey AP5100W Devices
CVE-2020-15023

5.9MEDIUM

Key Information:

Vendor

Askey

Status
Ap5100w Firmware
Vendor
CVE Published:
11 December 2020

What is CVE-2020-15023?

Askey AP5100W devices running AP5100W_Dual_SIG_1.01.097 are exposed to a vulnerability that allows attackers to execute offline brute-force attacks on the Wi-Fi Protected Setup (WPS) PIN. This weakness stems from inadequate random number generation during the Diffie-Hellman exchange, enabling the capture of WPS authentication attempts. By leveraging this captured information, an attacker can quickly derive the WPS PIN, and potentially the Wi-Fi Pre-Shared Key (PSK), granting them unauthorized access to the targeted Wi-Fi network.

References

https://www.askey.com.tw/Products/wifi.html
x_refsource_MISC
https://www.askey.com.tw/incident_report_notifications.html
x_refsource_CONFIRM
https://medium.com/csg-govtech/bolstering-security-how-i-...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.