CVE-2021-37605:Microchip MiWi software vulnerability where only two of four Message Integrity Check (MIC) bytes are validated, reducing security effectiveness.

splash
Back

Description Preview

In Microchip MiWi software version 6.5 and all previous versions, including legacy products, there is a security vulnerability (CVE-2021-37605) where the stack only validates two out of the required four Message Integrity Check (MIC) bytes. This incorrect implementation of the security validation mechanism significantly reduces the effectiveness of the cryptographic protection, making the system more susceptible to attacks. This vulnerability is classified as CWE-670 (Always-Incorrect Control Flow Implementation), indicating a fundamental flaw in how the security validation is implemented.

Overview

The vulnerability affects Microchip's MiWi protocol, which is a wireless protocol designed for low-power applications in the sub-GHz frequency range. The Message Integrity Check (MIC) is a critical security feature designed to ensure data integrity and authenticity. By only validating half of the MIC bytes (2 out of 4), the implementation significantly weakens the cryptographic protection. This reduces the complexity for potential attackers to forge valid messages or manipulate communication within MiWi networks. The vulnerability impacts all versions of the MiWi software through version 6.5, affecting a wide range of devices and applications that rely on this protocol for secure communications.

Remediation

Users should update to the fixed versions of the Microchip Advanced Software Framework (ASF) that address this vulnerability. Microchip has released updates in ASF versions 3.50.0.100 and 3.51.0.101, as documented in their release notes. Organizations using MiWi in their products should:

  1. Upgrade to the latest version of the MiWi software that includes the fix
  2. Apply any available patches or updates from Microchip
  3. If immediate updates are not possible, consider implementing additional security measures at the network level to mitigate potential attacks
  4. Review system logs for any suspicious activities that might indicate exploitation of this vulnerability
  5. Contact Microchip support for product-specific guidance if needed

References

  1. Microchip ASF Release Notes 3.50.0.100: https://ww1.microchip.com/downloads/en/DeviceDoc/asf-release-notes-3.50.0.100-readme.pdf
  2. Microchip ASF Release Notes 3.51.0.101: https://ww1.microchip.com/downloads/en/DeviceDoc/asf-release-notes-3.51.0.101-readme.pdf
  3. Microchip Advanced Software Framework Downloads: https://www.microchip.com/en-us/development-tools-tools-and-software/libraries-code-examples-and-more/advanced-software-framework-for-sam-devices#Downloads
  4. MiWi Software Vulnerability Information: https://www.microchip.com/en-us/products/wireless-connectivity/software-vulnerability-response/miwi-software-vulnerability
  5. Microchip MiWi Protocol Information: https://www.microchip.com/en-us/products/wireless-connectivity/sub-ghz/miwi-protocol
  6. Microchip Product Change Notifications: https://www.microchip.com/product-change-notifications/#/

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  5. Construction
    Construction
  6. Educational Services
    Educational Services
  7. Finance and Insurance
    Finance and Insurance
  8. Health Care & Social Assistance
    Health Care & Social Assistance
  9. Information
    Information
  10. Management of Companies & Enterprises
    Management of Companies & Enterprises
  11. Manufacturing
    Manufacturing
  12. Mining
    Mining
  13. Other Services (except Public Administration)
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  15. Public Administration
    Public Administration
  16. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  17. Retail Trade
    Retail Trade
  18. Transportation & Warehousing
    Transportation & Warehousing
  19. Utilities
    Utilities
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database