FragAttack (Fragmentation and aggregation attack) affect WiFi devices exposed them to remote attacks. The vulnerabilities could be exploited by an attacker within a device’s WiFi radio range to steal info from it and also execute malicious code. The devices were exposed to the FragAttack even if they were using WiFi security protocols such as WEP, WPA, and WPA3.
The issues impact all Wi-Fi security protocols, more than 75 tested Wi-Fi devices were affected by at least one of the FragAttacks flaws, and in the majority of the cases, the devices were vulnerable to multiple vulnerabilities.
The expert discovered three design flaws in the 802.11 standard that underpins WiFi along with common implementation flaws related to aggregation and fragmentation.
The vulnerabilities affect all major operating systems, including Windows, Linux, Android, macOS, and iOS. All The APs that were tested by the experts were also found vulnerable, including professional APs.NetBSD and OpenBSD were not impacted because they do not support the reception of A-MSDUs.
“The Wi-Fi flaws can be abused in two ways. First, under the right conditions they can be abused to steal sensitive data. Second, an adversary can abuse the Wi-Fi flaws to attack devices in someone’s home network.”. “The biggest risk in practice is likely the ability to abuse the discovered flaws to attack devices in someone’s home network.
Summarizing, the design flaws discovered by the expert are:
- CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
- CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
- CVE-2020-24586: fragment cache attack (not clearing fragments from memory when reconnecting to a network)
while the implementation vulnerabilities are:
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Accepting plaintext data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
and other implementation flaws found by the researcher are:
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
The expert notified affected vendors and has given 9 months to address the issues. Cisco , HPE/Aruba, have released the updates to mitigate the issue
