SB2018041019 - Usage of the same hardcoded AES encryption key on multiple Microsoft Wireless Keyboard 850 devices
Published: April 10, 2018
Security Bulletin ID
SB2018041019
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Adjecent network
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Security Feature Bypass (CVE-ID: CVE-2018-8117)
The vulnerability allows a remote attacker to bypass certain security restrictions.The vulnerability exists due to Microsoft Wireless Keyboard 850 is using the same hardcoded AES encryption key on multiple devices. A remote attacker, who has access to any Microsoft Wireless Keyboard 850, can extract AES encryption key and reuse it to send keystrokes to other keyboard devices or to read keystrokes sent by other keyboards for the affected devices.
Successful exploitation of the vulnerability requires that the attacker is able to extract the AES encryption key from the affected keyboard device and maintains physical proximity within wireless range of the devices for the duration of the attack.
Remediation
Install update from vendor's website.