Microsoft Wireless Display Adapter V2 has been diagnosed with three vulnerabilities: command injection vulnerability, broken access control vulnerability, and evil twin attack vulnerability. The first vulnerability has only been tested on the Microsoft Wireless Display Adapter V2 software versions 2.0.8350 to 2.0.8372 and has been found to impact all the versions in this range. The broken access control and evil twin attack vulnerabilities have been found to affect only the software version 2.0.8350 in the tested range. Other versions of the software were not tested, and the vulnerabilities have not been exploited yet. The command injection vulnerability has been assigned the label CVE-2018-8306, and it has been given a relatively moderate risk assessment.
The Microsoft Wireless Display Adapter is a hardware device that allows the broadcasting of screens from Miracast enabled Microsoft Windows devices. The mechanism utilizes the Wi-Fi Direct connection and the Miracast audio/video transmission channel to broadcast the screen. The process is WPA2 encrypted as per the encryption of the Wi-Fi connection in use for added security.
In order to pair the device with the display, the mechanism offers both a push button connection as well as a PIN connection. Once the connection is established, the device does not need to be verified for every subsequent connection.
Continuing with this previously achieved authorization, a command injection vulnerability can occur when the name of the display adapter is set in the “NewDeviceName” parameter. Creating a situation where characters escape the command line scripts, the device is set into a boot loop where it stops functioning properly. The affected script for this vulnerability is the “/cgi-bin/msupload.sh” script.
The second vulnerability, broken access control, can occur when the push button configuration method is used for device pairing, only requiring that the device be in wireless range without any need for physical access to it for PIN verification. Once the first connection is established in this manner, subsequent connections do not need verification, allowing a compromised device to have unrestricted control.
The third vulnerability, evil twin attack, occurs when an attacker manipulates a user into connecting to his or her MSWDA device by being connected to the rightful MSWDA and only putting out the attacker’s own MSWDA for the user to connect to. Once the connection is established, the user will not know that s/he has connected to the wrong device and the attacker will have access to the user’s files and data, streaming the content on his/her device.
Microsoft was initially contacted on the 21st of March regarding this set of vulnerabilities. The CVE number was assigned on the 19th of June and the firmware updates were released on the 10th of July. Since then, Microsoft has just now come forward with its public disclosure advisory. The vulnerabilities collectively impact versions 2.0.8350, 2.0.8365, and 2.0.8372 of the Microsoft Wireless Display Adapter V2 software.
Security updates labelled as “important” by Microsoft are available for all three versions on their website as part of the security bulletin published. Another mitigation suggested requires that users open the Microsoft Wireless Display Adapter Windows application and check the box beside “Pair with PIN Code” under the “Security Setting” tab. This ensures that physical access to the device is required to view its screen and match the PIN codes ensuring that an unwanted wirelessly reachable device does not easily connect to the setup. The vulnerabilities impacting the three versions were given a CVSS 3.0 base score of 5.5 each and a temporal score of 5 each.