In certain cases, the PN used by the WL18xx firmware when transmitting packets can increment beyond the PN stored by the host-side driver for WL18xx. The host-side PN value is used to recover the system if a reset is required. If a device recovery is triggered, the PN will be restored by the value saved in the host, which can cause the WL18xx device to repeat PN numbers in subsequent transmitted packets without changing keys.

TI PSIRT ID

TI-PSIRT-2021-100120

CVE ID

WiLink WL18xx PN reuse issue

CVSS Score: 5.7

CVSS Vector:

Affected Products

• WL1801, WL1831
• WL1801MOD, WL1831MOD, WL1805MOD, WL1835MOD, WL1807MOD, WL1837MOD

Potentially Impacted Features

The reuse of PN numbers can appear as a replay attack to a connected AP, which can respond by dropping incoming packets. This can lead to a period during which a WL18xx station can experience a denial of service.

Suggested Mitigations

The following updates have been released to fix this vulnerability:

• Wl18xx_fw v8.9.1.0.0
• R8.8 wlcore patch: 0023-wlcore-Fixing-PN-drift-on-encrypted-link-after-recov.patch

Products based on the WL18xx NLCP Driver can be updated with the firmware version v8.9.1.0.0 and apply the wlcore patch to fix this issue.

NOTE: Both the firmware and the driver updates must be applied together for the system to work properly and to fix the issue. Updating the firmware without applying the latest driver can cause the driver to fail during initialization.