April 2019 Security Update

Background:

On April 10th 2019, researchers disclosed several vulnerabilities affecting authentication for wireless networks. These vulnerabilities describe a range of effects, from resource exhaustion on wireless access points, to downgrading encryption strength, to causing crashes.

At the time of writing eero does not implement WPA3 or EAP-pwd authentication for client devices, so most of the vulnerabilities disclosed do not affect eero networks.

eero networks do use a component of WPA3 authentication called SAE when establishing the mesh network among themselves. SAE was subject to a resource exhaustion attack which in some cases could affect eero’s mesh implementation, and a common implementation of SAE contained a vulnerability related to state validation. eero networks were patched to protect customers from both issues before this news was made public.

 

Vulnerability ID

Name

Is eero affected?

CVE-2019-9494

SAE cache attack against ECC groups

No

CVE-2019-9495

EAP-pwd cache attack against ECC groups

No

CVE-2019-9496

SAE confirm missing state validation

Patched

CVE-2019-9497

EAP-pwd missing commit validation (reflection attack)

No

CVE-2019-9498

EAP-pwd missing commit validation - network impact

No

CVE-2019-9499

EAP-pwd missing commit validation - rogue AP

No

 

Patches for eero customers were applied automatically in eeroOS v3.12.1. To confirm whether or not your network is patched, please refer to this article.

 

 

Was this article helpful?

Didn't find what you're looking for?

Give us a call at (877) 659-2347 or submit a request. We’ll get back to you as soon as possible.

Powered by Zendesk