FRAG ATTACK for Wi-Fi: Putting the Pieces Back Together
Published on May 20, 2021
On Tuesday May 11th, the Wi-Fi Alliance announced details of a collection of new vulnerabilities affecting Wi-Fi devices. Since a successful attack would allow the cyber-criminal to steal user information, exploitation of the FRAG ATTACK vulnerabilities is considered a serious threat to the security of devices using Wi-Fi connectivity.
Ezurio (formerly Laird Connectivity) is aware of these industry-wide vulnerabilities and we are committed to providing our customers with patches and updates as quickly as possible. We take any cyber-security threat extremely seriously and are developing a plan for our impacted products and we will post updates as they become available.
The Vulnerabilities
The vulnerabilities impact all modern Wi-Fi security protocols, including the most recent WPA3 specification. It has been shown that even the original security protocol WEP is susceptible to attack. With such a broad base of susceptibility the potential for targeted attacks can be considered high. The good news is that the vulnerabilities are quite difficult to abuse.
The recent disclosure of the FRAG ATTACK details are a result of nine months of disclosure and remediation supervised by the Wi-Fi Alliance and ICASI. However, it wasn’t until the most recent disclosure that we were able to view the full scope of the issues.
Further information on the FRAG ATTACK vulnerabilities can be found at www.fragattacks.com, where full descriptions of the vulnerabilities are shared, as well as a demonstration of the attacks in action. If you have any questions or concerns about the current situation, please contact your sales or support representative for more details.
Assigned CVE Identifiers
Details of the vulnerabilities are tracked by Common Vulnerabilities and Exposures (CVE) IDs. The following are the associated CVE identifiers for the vulnerabilities:
Design Flaws |
|
CVE-2020-24586 |
Fragment cache attack (not clearing fragments from memory when (re)connecting to a network). |
CVE-2020-24587 |
Mixed key attack (reassembling fragments encrypted under different keys). |
CVE-2020-24588
|
Aggregation attack (accepting non-SPP A-MSDU frames). |
Implementation Vulnerabilities (Trivial injection of plaintext frames in a protected Wi-Fi network) |
|
CVE-2020-26145 |
Accepting plaintext broadcast fragments as full frames (in an encrypted network). |
CVE-2020-26144 |
Accepting plaintext, A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network). |
CVE-2020-26140 |
Accepting plaintext data frames in a protected network. |
CVE-2020-26143 |
Accepting fragmented plaintext data frames in a protected network. |
Other Implementation Flaws |
|
CVE-2020-26139 |
Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs). |
CVE-2020-26146 |
Reassembling encrypted fragments with non-consecutive packet numbers. |
CVE-2020-26147 |
Reassembling mixed encrypted/plaintext fragments. |
CVE-2020-26142 |
Processing fragmented frames as full frames. |
CVE-2020-26141 |
Not verifying the TKIP MIC of fragmented frames. |
Please note that this is the complete set of vulnerabilities discovered by the research team, but not all products contain all vulnerabilities. We are assessing which of our products contain which vulnerabilities and future communications will contain information on impacted products and remediation instructions .