EnGenius Advisory: FragAttacks Security Advisory


May 11, 2021





Summary
On May 11, 2021 we publicly disclosed a dozen vulnerabilities collectively known as FragAttacks (fragmentation and aggregation attacks) that could affect devices with Wi-Fi capabilities. Refer to Wi-Fi Alliance announcement for more information.

Impact
These 12 vulnerabilities were discovered and disclosed by researcher, Dr. Mathy Vanhoef. Three vulnerabilities involve 802.11 standard design flaws, and the other 9 involve implementation vulnerabilities.

Successful exploitation of these vulnerabilities could enable the exfiltration of sensitive data from the targeted device. The following table describes the high-level impact on each of the CVE IDs.

Additional details >



Item
CVE-ID
Impact
1
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that received fragments must be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
2
Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
3
Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
4
Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
5
Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network): Vulnerable Wi-Fi implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
6
Accepting plaintext broadcast fragments as full frames (in an encrypted network): Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
7
Reassembling encrypted fragments with non-consecutive packet numbers: Vulnerable WPA, WPA2, or WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.
8
Reassembling mixed encrypted/plaintext fragments: Vulnerable WEP, WPA, WPA2, or WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
9
Accepting plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
10
Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
11
Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.
12
Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.




CVE-ID & Impact
CVE-2020-24586

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that received fragments must be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.
CVE-2020-24587

Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
CVE-2020-24588

Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
CVE-2020-26139

Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
CVE-2020-26140

Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network): Vulnerable Wi-Fi implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
CVE-2020-26141

Accepting plaintext broadcast fragments as full frames (in an encrypted network): Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
CVE-2020-26142

Reassembling encrypted fragments with non-consecutive packet numbers: Vulnerable WPA, WPA2, or WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.
CVE-2020-26143

Reassembling mixed encrypted/plaintext fragments: Vulnerable WEP, WPA, WPA2, or WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
CVE-2020-26144

Accepting plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
CVE-2020-26145

Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
CVE-2020-26146

Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.
CVE-2020-26147

Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.


Resolution
Recommended action to completely fix the vulnerabilities is to patch both ends of your Wi-Fi network—both the AP and Client.

EnGenius is investigating its indoor/outdoor Wi-Fi product line to determine the affected AP products and formulate resolution patches accordingly. Refer to the table below for resolution release details. As the investigation progresses, EnGenius will continually update this advisory as more information becomes available.



Cloud
Release Ver.
Target Release
ECW115
1.3.35
12-Jul-2021
ECW120
1.3.35
12-Jul-2021
ECW160
1.3.35
12-Jul-2021
ECW220v2
1.5.35
15-Jun-2021
ECW230
1.5.35
12-Jul-2021
ECW230v2
1.5.35
12-Jul-2021
ECW230v3
1.5.35
12-Jul-2021
ECW260
1.5.35
15-Jun-2021




Cloud – Version and Target Date
ECW115

1.3.35

12-Jul-2021
ECW120

1.3.35

12-Jul-2021
ECW160

1.3.35

12-Jul-2021
ECW220v2

1.5.35

15-Jun-2021
ECW230

1.5.35

12-Jul-2021
ECW230v2

1.5.35

12-Jul-2021
ECW230v3

1.5.35

12-Jul-2021
ECW260

1.5.35

15-Jun-2021




On-Premises Release Ver. Target Release
EWS330AP Evaluating Q3-2021
EWS355AP Evaluating Q3-2021
EWS357AP 3.9.1 26-Jul-2021
EWS357APv2 3.9.1 26-Jul-2021
EWS357APv3 3.9.1 28-Jun-2021
EWS360AP Evaluating Q4-2021
EWS377AP 3.9.1 26-Jul-2021
EWS377APv2 3.9.1 26-Jul-2021
EWS377APv3 3.9.1 28-Jun-2021
EWS385AP Evaluating Q3-2021
EWS660AP Evaluating Q1-2022
EWS850AP 3.9.1 28-Jun-2021
EWS860AP Evaluating Q1-2022
EAP1250 Evaluating Q3-2021
EAP1300 Evaluating Q3-2021
EAP1300EXT Evaluating Q3-2021
EAP2200 Evaluating Q3-2021
ENS620EXT Evaluating Q3-2021
ENH1350EXT Evaluating Q3-2021
ENH1750EXT Evaluating Q3-2021
Other Models Evaluating Evaluating







On-Premises – Version and Target Date
EWS330AP

1.5.35Evaluating

Q3-2021
EWS355AP

Evaluating

Q3-2021
EWS357AP

3.9.1

26-Jul-2021
EWS357APv2

3.9.1

26-Jul-2021
EWS357APv3

3.9.1

28-Jun-2021
EWS360AP

Evaluating

Q4-2021
EWS377AP

Evaluating

26-Jul-2021
EWS377APv2

3.9.1

26-Jul-2021
EWS377APv3

3.9.1

28-Jun-2021
EWS385AP

Evaluating

Q3-2021
EWS660AP

Evaluating

Q1-2022
EWS850AP

3.9.1

28-Jun-2021
EWS860AP

Evaluating

Q1-2022
EAP1250

Evaluating

Q3-2021
EAP1300

Evaluating

Q3-2021
EAP1300EXT

Evaluating

Q3-2021
EAP2200

Evaluating

Q3-2021
ENS620EXT

Evaluating

Q3-2021
ENH1350EXT

Evaluating

Q3-2021
ENH1750EXT

Evaluating

Q3-2021
Other Models

Evaluating

Evaluating