If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
Mathy Vanhoef, author of the KRACK attack to wireless networks and 12 vulnerabilities in the IEEE 802.11 standards, revealed a new vulnerability (already listed under CVE-2022-47522) in Wi-Fi packet buffering technology that affects various devices (Cisco, Ubiquiti) and operating systems (Linux, FreeBSD, iOS, Android).
Additionally, access to the MacStealer toolkit is available to carry out the attack. The vulnerability allows bypassing wireless encryption and can be used to intercept traffic from isolated clients.
On March 27, 2023, the research paper Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues was made public. This document discusses vulnerabilities in the 802.11 standard that could allow an attacker to spoof a targeted wireless client and redirect frames that are present in transmission queues at an access point to a device controlled by the attacker. This attack is considered an opportunistic attack and the information obtained by the attacker would be of minimal value in a securely configured network.
Vulnerability affects queuing mechanism to store frames before sending them to the recipients, as well as management failures of the protection context for queued frames.
The reason of vulnerability is the lack of explicit instructions in the 802.11 standard to manage the protection context for buffered frames and the lack of protection for the power save flag in the frame header, with which an attacker can manipulate the frame queue.
In many scenarios, Wi-Fi devices will choose to buffer or queue packets arriving from higher layers before being transmitted. One of the most common use cases is keeping devices such as mobile phones and laptops powered on.
The release of the 802.11 standard already contained power-saving mechanisms that allow clients to enter a hibernation state to consume little power. When a client enters a sleep state, the access point (AP) buffers eligible frames destined for the client.
Through frame manipulation for recipients in sleep mode (by setting the power saving flag in the header), an attacker can achieve its buffering and change the protection context, which will lead to sending frames from the queue without using encryption or with encryption of null key. Separately, a technique is proposed to redirect queued frames from an access point to a device controlled by an attacker.
The ability to redirect frames out of the queue is due to the fact that in the wireless stack, client authentication and packet routing are separate from each other (only MAC addresses are used in routing).
To redirect frames to the attacker's device, a trick is used that consists of periodically disconnecting the victim after sending a request to it and connecting the attacker's device with the victim's MAC address (packets that were addressed to the victim and stuck in the queue will be sent to the attacker's device).
The attack isand can be used to intercept the traffic of other users, bypassing client isolation at the MAC level, even if the clients are prohibited from communicating with each other. To successfully complete an attack, an attacker must have access to a Wi-Fi network, which in practice limits the vulnerability to bypassing client isolation at an access point ("AP isolation" mode) or bypassing dynamic ARP inspection (DAI).
For example, the vulnerability can be used to attack users of corporate networks where users are separated from each other or using WPA2 and WPA3 protocols in client isolation mode (setting separate SSIDs for guests or setting different passwords (Multi-PSK)) and also to attack public access points protected with Passpoint technology (Hotspot) 2.0) or using WPA3 SAE-PK.
In this case, the attack cannot be applied to devices separated by VLANs (a device on another VLAN cannot be attacked).
Finally, if you are interested in being able to know more about it, you can consult the details in the following link