EnGenius Advisory: FragAttacks Security Advisory
May 11, 2021
Summary
On May 11, 2021 we publicly disclosed a dozen vulnerabilities collectively known as FragAttacks (fragmentation and aggregation attacks) that could affect devices with Wi-Fi capabilities. Refer to Wi-Fi Alliance announcement for more information.
Impact
These 12 vulnerabilities were discovered and disclosed by researcher, Dr. Mathy Vanhoef. Three vulnerabilities involve 802.11 standard design flaws, and the other 9 involve implementation vulnerabilities.
Successful exploitation of these vulnerabilities could enable the exfiltration of sensitive data from the targeted device. The following table describes the high-level impact on each of the CVE IDs.
Additional details >
|
Item
|
CVE-ID
|
Impact
|
|
1
|
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that received fragments must be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
|
|
|
2
|
Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
|
|
|
3
|
Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
|
|
|
4
|
Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
|
|
|
5
|
Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network): Vulnerable Wi-Fi implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
|
|
|
6
|
Accepting plaintext broadcast fragments as full frames (in an encrypted network): Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
|
|
|
7
|
Reassembling encrypted fragments with non-consecutive packet numbers: Vulnerable WPA, WPA2, or WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.
|
|
|
8
|
Reassembling mixed encrypted/plaintext fragments: Vulnerable WEP, WPA, WPA2, or WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
|
|
|
9
|
Accepting plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
|
|
|
10
|
Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
|
|
|
11
|
Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.
|
|
|
12
|
Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
|
|
CVE-ID & Impact
|
|
CVE-2020-24586
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that received fragments must be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data. |
|
CVE-2020-24587
Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. |
|
CVE-2020-24588
Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. |
|
CVE-2020-26139
Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. |
|
CVE-2020-26140
Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network): Vulnerable Wi-Fi implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. |
|
CVE-2020-26141
Accepting plaintext broadcast fragments as full frames (in an encrypted network): Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. |
|
CVE-2020-26142
Reassembling encrypted fragments with non-consecutive packet numbers: Vulnerable WPA, WPA2, or WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. |
|
CVE-2020-26143
Reassembling mixed encrypted/plaintext fragments: Vulnerable WEP, WPA, WPA2, or WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. |
|
CVE-2020-26144
Accepting plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. |
|
CVE-2020-26145
Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. |
|
CVE-2020-26146
Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. |
|
CVE-2020-26147
Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. |
Resolution
Recommended action to completely fix the vulnerabilities is to patch both ends of your Wi-Fi network—both the AP and Client.
EnGenius is investigating its indoor/outdoor Wi-Fi product line to determine the affected AP products and formulate resolution patches accordingly. Refer to the table below for resolution release details. As the investigation progresses, EnGenius will continually update this advisory as more information becomes available.
|
Cloud
|
Release Ver.
|
Target Release
|
|
ECW115
|
1.3.35
|
12-Jul-2021
|
|
ECW120
|
1.3.35
|
12-Jul-2021
|
|
ECW160
|
1.3.35
|
12-Jul-2021
|
|
ECW220v2
|
1.5.35
|
15-Jun-2021
|
|
ECW230
|
1.5.35
|
12-Jul-2021
|
|
ECW230v2
|
1.5.35
|
12-Jul-2021
|
|
ECW230v3
|
1.5.35
|
12-Jul-2021
|
|
ECW260
|
1.5.35
|
15-Jun-2021
|
|
Cloud – Version and Target Date
|
|
ECW115
1.3.35 12-Jul-2021 |
|
ECW120
1.3.35 12-Jul-2021 |
|
ECW160
1.3.35 12-Jul-2021 |
|
ECW220v2
1.5.35 15-Jun-2021 |
|
ECW230
1.5.35 12-Jul-2021 |
|
ECW230v2
1.5.35 12-Jul-2021 |
|
ECW230v3
1.5.35 12-Jul-2021 |
|
ECW260
1.5.35 15-Jun-2021 |
| On-Premises | Release Ver. | Target Release |
| EWS330AP | Evaluating | Q3-2021 |
| EWS355AP | Evaluating | Q3-2021 |
| EWS357AP | 3.9.1 | 26-Jul-2021 |
| EWS357APv2 | 3.9.1 | 26-Jul-2021 |
| EWS357APv3 | 3.9.1 | 28-Jun-2021 |
| EWS360AP | Evaluating | Q4-2021 |
| EWS377AP | 3.9.1 | 26-Jul-2021 |
| EWS377APv2 | 3.9.1 | 26-Jul-2021 |
| EWS377APv3 | 3.9.1 | 28-Jun-2021 |
| EWS385AP | Evaluating | Q3-2021 |
| EWS660AP | Evaluating | Q1-2022 |
| EWS850AP | 3.9.1 | 28-Jun-2021 |
| EWS860AP | Evaluating | Q1-2022 |
| EAP1250 | Evaluating | Q3-2021 |
| EAP1300 | Evaluating | Q3-2021 |
| EAP1300EXT | Evaluating | Q3-2021 |
| EAP2200 | Evaluating | Q3-2021 |
| ENS620EXT | Evaluating | Q3-2021 |
| ENH1350EXT | Evaluating | Q3-2021 |
| ENH1750EXT | Evaluating | Q3-2021 |
| Other Models | Evaluating | Evaluating |
|
On-Premises – Version and Target Date
|
|
EWS330AP
1.5.35Evaluating Q3-2021 |
|
EWS355AP
Evaluating Q3-2021 |
|
EWS357AP
3.9.1 26-Jul-2021 |
|
EWS357APv2
3.9.1 26-Jul-2021 |
|
EWS357APv3
3.9.1 28-Jun-2021 |
|
EWS360AP
Evaluating Q4-2021 |
|
EWS377AP
Evaluating 26-Jul-2021 |
|
EWS377APv2
3.9.1 26-Jul-2021 |
|
EWS377APv3
3.9.1 28-Jun-2021 |
|
EWS385AP
Evaluating Q3-2021 |
|
EWS660AP
Evaluating Q1-2022 |
|
EWS850AP
3.9.1 28-Jun-2021 |
|
EWS860AP
Evaluating Q1-2022 |
|
EAP1250
Evaluating Q3-2021 |
|
EAP1300
Evaluating Q3-2021 |
|
EAP1300EXT
Evaluating Q3-2021 |
|
EAP2200
Evaluating Q3-2021 |
|
ENS620EXT
Evaluating Q3-2021 |
|
ENH1350EXT
Evaluating Q3-2021 |
|
ENH1750EXT
Evaluating Q3-2021 |
|
Other Models
Evaluating Evaluating |
