Threat Alert

by IthacaLabs™

THREAT LEVEL/High 12/05/2021

New Flaws Affecting Nearly All Wi-Fi Devices

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that multiple implementation flaws in “IEEE 802.11” technical standard, have been identified.

An attacker, within radio range of a victim, may take advantage of these flaws to steal user data or attack devices. Researchers have observed that any Wi-Fi device is vulnerable to at least one of these vulnerabilities.

IEEE 802.11 is the foundation for all modern Wi-Fi devices, enabling computers, tablets, printers, smartphones, smart speakers, and other devices to communicate with one another and connect to the Internet through a wireless router.

This group of flaws, named FragAttacks (short for FRgmentation and AGgregation attacks), affect all Wi-Fi protection protocols, from Wired Equivalent Privacy (WEP) to Wi-Fi Protected Access 3 (WPA3), putting almost any wireless-enabled system at danger.

The problems stem from “widespread” programming errors embedded in the standard’s implementation, with some bugs dating back to 1997. These vulnerabilities are related to the way the “IEEE 802.11” standard fragments and aggregates frames.

As a consequence, threat actors, by exploiting these issues, could inject arbitrary packets, trick a victim into using a malicious DNS server and/or forge frames to steal data.

CVE(s)

CVE-2020-24588

BASE SCORE: 2.9 Low

VECTOR: (AV:A/AC:M/Au:N/C:N/I:P/A:N)

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.

CVE-2020-24587

BASE SCORE: 1.8 Low

VECTOR: (AV:A/AC:H/Au:N/C:P/I:N/A:N)

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.

CVE-2020-24586

BASE SCORE: 2.9 Low

VECTOR: (AV:A/AC:M/Au:N/C:P/I:N/A:N)

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.

CVE-2020-26145

BASE SCORE: 3.3 Low

VECTOR: (AV:A/AC:L/Au:N/C:N/I:P/A:N)

An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.

CVE-2020-26144

BASE SCORE: 3.3 Low

VECTOR: (AV:A/AC:L/Au:N/C:N/I:P/A:N)

An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.

CVE-2020-26140

BASE SCORE: 3.3 Low

VECTOR: (AV:A/AC:L/Au:N/C:N/I:P/A:N)

An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.

CVE-2020-26143

BASE SCORE: 3.3 Low

VECTOR: (AV:A/AC:L/Au:N/C:N/I:P/A:N)

An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.

CVE-2020-26139

BASE SCORE: 2.9 Low

VECTOR: (AV:A/AC:M/Au:N/C:N/I:N/A:P)

An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.

CVE-2020-26146

BASE SCORE: 2.9 Low

VECTOR: (AV:A/AC:M/Au:N/C:N/I:P/A:N)

An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.

CVE-2020-26147

BASE SCORE: 3.2 Low

VECTOR: (AV:A/AC:H/Au:N/C:P/I:P/A:N)

An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.

CVE-2020-26142

BASE SCORE: 5 Medium

VECTOR: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.

CVE-2020-26141

BASE SCORE: 3.3 Low

VECTOR: (AV:A/AC:L/Au:N/C:N/I:P/A:N)

An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.

Affected Systems

  • All Wi-Fi security protocols

Recommendation(s)

You should proceed and implement the relevant mitigations for “FragAttacks”, provided by the vendors such as Cisco, HPE/Aruba Networks, Juniper Networks, and Sierra Wireless that can be accessed in the advisory released by the Industry Consortium for Advancement of Security on the Internet (ICASI).

In the “References” section you could find link to the aforementioned advisory.

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

References

Get the latest Threat Alerts in your inbox.