FRAG ATTACK for Wi-Fi: Putting the Pieces Back Together

Thu, 05/20/2021 - 23:51

On Tuesday May 11th, the Wi-Fi Alliance announced details of a collection of new vulnerabilities affecting Wi-Fi devices. Since a successful attack would allow the cyber-criminal to steal user information, exploitation of the FRAG ATTACK vulnerabilities is considered a serious threat to the security of devices using Wi-Fi connectivity.

Laird Connectivity is aware of these industry-wide vulnerabilities and we are committed to providing our customers with patches and updates as quickly as possible. We take any cyber-security threat extremely seriously and are developing a plan for our impacted products and we will post updates as they become available.

The Vulnerabilities

The vulnerabilities impact all modern Wi-Fi security protocols, including the most recent WPA3 specification. It has been shown that even the original security protocol WEP is susceptible to attack. With such a broad base of susceptibility the potential for targeted attacks can be considered high. The good news is that the vulnerabilities are quite difficult to abuse.

The recent disclosure of the FRAG ATTACK details are a result of nine months of disclosure and remediation supervised by the Wi-Fi Alliance and ICASI. However, it wasn’t until the most recent disclosure that we were able to view the full scope of the issues.

Further information on the FRAG ATTACK vulnerabilities can be found at www.fragattacks.com, where full descriptions of the vulnerabilities are shared, as well as a demonstration of the attacks in action. If you have any questions or concerns about the current situation, please contact your sales or support representative for more details.

Assigned CVE Identifiers

Details of the vulnerabilities are tracked by Common Vulnerabilities and Exposures (CVE) IDs. The following are the associated CVE identifiers for the vulnerabilities:

Design Flaws

CVE-2020-24586

Fragment cache attack (not clearing fragments from memory when (re)connecting to a network).

CVE-2020-24587

Mixed key attack (reassembling fragments encrypted under different keys).

CVE-2020-24588

 

Aggregation attack (accepting non-SPP A-MSDU frames).

Implementation Vulnerabilities (Trivial injection of plaintext frames in a protected Wi-Fi network)

CVE-2020-26145

Accepting plaintext broadcast fragments as full frames (in an encrypted network).

CVE-2020-26144

Accepting plaintext, A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).

CVE-2020-26140

Accepting plaintext data frames in a protected network.

CVE-2020-26143

Accepting fragmented plaintext data frames in a protected network.

Other Implementation Flaws

CVE-2020-26139

Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).

CVE-2020-26146

Reassembling encrypted fragments with non-consecutive packet numbers.

CVE-2020-26147

Reassembling mixed encrypted/plaintext fragments.

CVE-2020-26142

Processing fragmented frames as full frames.

CVE-2020-26141

Not verifying the TKIP MIC of fragmented frames.

 

Please note that this is the complete set of vulnerabilities discovered by the research team, but not all products contain all vulnerabilities. We are assessing which of our products contain which vulnerabilities and future communications will contain information on impacted products and remediation instructions .