All Wi-Fi devices including computers, smartphones, and smart devices are affected by a newly discovered Wi-Fi security vulnerabilities collectively known as FragAttacks (fragmentation and aggregation attacks).
Three of these vulnerabilities are Wi-Fi 802.11 standard design flaws in the frame aggregation and frame fragmentation functionalities affecting most devices, while others are programing mistakes in Wi-Fi products.
Security researcher Mathy Vanhoef (New York University Abu Dhabi), who discovered the FragAttacks bugs said that experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.
The discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification. Even the original security protocol of Wi-Fi, called WEP, is affected. Most of the design flaws have been part of Wi-Fi since its release in 1997.
The threat actors who abuse these design and implementation flaws must be in the Wi-Fi range of targeted devices in order to steal sensitive user data and execute malicious code following successful exploitation, potentially leading to full device takeover.
The design flaws are difficult to abuse as it requires user interaction or is only possible when using uncommon network settings.
But the programming mistakes behind some of the FragAttacks vulnerabilities are trivial to exploit and would allow attackers to abuse unpatched Wi-Fi products with ease.
FragAttacks CVEs associated with Wi-Fi design flaws include:
- CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
- CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
- CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
The CVEs assigned for Wi-Fi implementation vulnerabilities include:
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Accepting plaintext data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
Other implementation flaws discovered by Vanhoef include:
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
A video demonstrating how attackers could take over an unpatched Windows 7 system inside a target’s local network is published by the researcher.
The Industry Consortium for Advancement of Security on the Internet (ICASI) says that vendors are developing patches for their product to mitigate the FragAttacks bugs.
Cisco Systems, HPE/Aruba Networks, Juniper Networks, Sierra Wireless, and Microsoft have already published FragAttacks security updates and advisories.
These security updates have been prepared during a 9-month-long coordinated disclosure process supervised by ICASI and the Wi-Fi Alliance.
The Wi-Fi Alliance stated that there is no evidence of the vulnerabilities being used against Wi-Fi users maliciously, and these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices.
The users are recommended to ensure they have installed the latest updates from device manufacturers.
For those users whose device vendor has not yet released security updates, can still mitigate some of the attacks.
This can be done by ensuring that all websites and online services you visit use Hypertext Transfer Protocol Secure (HTTPS) protocol.
Additionally, users can disable fragmentation, pairwise rekeys, and dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.
An open-source tool to determine if access points and Wi-Fi clients on your network are affected by the FragAttacks flaws is also available on GitHub.
