Any Wi-Fi enabled devices are vulnerable to Frag Attacks issues

Wi-Fi Devices and Frag Attacks

The well-known information security expert Mathy Vanhoef reported the discovery of a whole set of vulnerabilities named Frag Attacks (Fragmentation and aggregation attacks), which affect all devices with Wi-Fi support, released after 1997 (computers, smartphones and “smart” devices).

Let me remind you that earlier Vanhof discovered such dangerous vulnerabilities as KRACK and Dragonblood, which significantly improved the security of the Wi-Fi standard.

Frag Attacks issues allow an attacker to gather information about the device’s owner and execute malicious code. Even worse, the vulnerabilities are relevant even if WEP and WPA protection is active. The researcher demonstrates the attack on unpatched Windows 7 in the video below.

Vanhof writes that the three vulnerabilities are design flaws in the Wi-Fi 802.11 standard, which are related to the aggregation and fragmentation functions of frames, while other bugs are programming problems in various Wi-Fi products.

Experiments show that every Wi-Fi product is vulnerable to at least one problem, and most products are vulnerable to several at once. The vulnerabilities affect all modern Wi-Fi security protocols, including the latest WPA3 specification. Even the original Wi-Fi security protocol, WEP, is affected. This means that some of the discovered flaws have been part of Wi-Fi since its introduction in 1997!says the expert.

As in the case with KRACK and Dragonblood, Wanhof immediately reported his findings to the WiFi Alliance engineers. For the past nine months, the organization has been working on fixing the standards and working with device vendors to get fixes ready as soon as possible.

You can determine if a specific device has received a fix by looking at the manufacturer’s security bulletins for the following CVE IDs:

  • CVE-2020-24588: aggregation attack (receiving non-SPP A-MSDU frames);
  • CVE-2020-24587: Mixed Key Attack (reassembling frames encrypted under different keys);
  • CVE-2020-24586: Attack on Cache Fragments (Fragments are not removed from memory when reconnecting to the network);
  • CVE-2020-26145: receive broadcast fragments in plaintext as full frames (over an encrypted network);
  • CVE-2020-26144: Accept plaintext A-MSDU frames when they begin with an RFC1042 header with EtherType EAPOL (over encrypted network);
  • CVE-2020-26140: Receive data frames in clear text on a secure network;
  • CVE-2020-26143: Receive fragmented data frames in clear text on a secure network;
  • CVE-2020-26139: Forwarding EAPOL frames even if the sender is not yet authenticated (should only affect access points);
  • CVE-2020-26146: reassembling encrypted fragments with inconsistent packet numbers;
  • CVE-2020-26147: reassembly of mixed chunks (encrypted and plaintext);
  • CVE-2020-26142: Treat fragmented frames as complete;
  • CVE-2020-26141: No TKIP MIC verification of fragmented frames.

Neveretheless, the good news is that Vanhof found that most of these vulnerabilities are difficult to exploit, either requiring user interaction or the attack would only be possible using highly non-standard network settings.

On his website, Vanhof listed a number of protective measures that users should take. The simplest defence is to ensure that websites are only accessible via HTTPS, which blocks attacks.

Microsoft is known to have released fixes for 3 of 12 vulnerabilities affecting Windows systems. Also, patches for their products were prepared by Cisco, Juniper Networks, HPE/Aruba and Sierra Wireless. Other vendors plan to submit fixes in the coming weeks, ICASI reports.

Let me remind you that I also reported that the Kr00k problem threatens devices with Qualcomm and MediaTek Wi-Fi chips.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *