- Liittynyt
- 17.10.2016
- Viestejä
- 2 436
Kirjoitin seuraavan "pikku-uutis"-topikkiin:
Jutusta se biiffi, boldaukset minun:
Jutusta se biiffi, boldaukset minun:
CVE-2019-13052
Mengs says that if an attacker can capture the pairing between a Unifying dongle and a Logitech wireless accessory, the attacker can recover the key used to encrypt traffic between the two components.
...
Furthermore, in situations where the attacker has missed the dongle pairing operation, an attacker with physical access to the dongle "could manually initiate a re-pairing of an already paired device to the receiver, in order to obtain the link-encryption key," by simply unplugging and re-plugging the dongle.
...
Logitech told Mengs that they don't plan to issue a firmware patch for this vulnerability.
CVE-2019-13053
According to Mengs, this is a vulnerability through which an attacker can inject keystrokes into the encrypted communications stream between a USB dongle and a Logitech device, even without knowing the encryption key.
The researcher says the attacker needs physical access to a device to perform this attack.
...
Physical access is required only once, so the attacker can collect enough cryptographic data from the radio traffic.
...
Mengs says this vulnerability exists due to an incomplete fix for CVE-2016-10761, one of the infamous MouseJack vulnerabilities, and that Logitech has no plans on patching this new attack variation.
CVE-2019-13054 and CVE-2019-13055
CVE-2019-13054 and CVE-2019-13055 are technically the same vulnerability. The flaws require physical access to a Logitech Unifying dongle to successfully exploit.
...
Logitech told Mengs that a patch for this issue is scheduled for August 2019.
Mengs also warned that many Logitech Unifying dongles are still vulnerable to the old MouseJack vulnerabilities disclosed back in 2016.