Security Feature Bypass in Microsoft Wireless Keyboard 850 - CVE-2018-8117
Published: April 10, 2018 / Updated: April 10, 2018
Vulnerability identifier: #VU11700
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-8117
CWE-ID: CWE-321
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
Microsoft Wireless Keyboard 850
Microsoft Wireless Keyboard 850
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to Microsoft Wireless Keyboard 850 is using the same hardcoded AES encryption key on multiple devices. A remote attacker, who has access to any Microsoft Wireless Keyboard 850, can extract AES encryption key and reuse it to send keystrokes to other keyboard devices or to read keystrokes sent by other keyboards for the affected devices.
Successful exploitation of the vulnerability requires that the attacker is able to extract the AES encryption key from the affected keyboard device and maintains physical proximity within wireless range of the devices for the duration of the attack.
The vulnerability exists due to Microsoft Wireless Keyboard 850 is using the same hardcoded AES encryption key on multiple devices. A remote attacker, who has access to any Microsoft Wireless Keyboard 850, can extract AES encryption key and reuse it to send keystrokes to other keyboard devices or to read keystrokes sent by other keyboards for the affected devices.
Successful exploitation of the vulnerability requires that the attacker is able to extract the AES encryption key from the affected keyboard device and maintains physical proximity within wireless range of the devices for the duration of the attack.
How to mitigate CVE-2018-8117
Install updates from vendor's website.