FragAttacks, a series of vulnerabilities in the Wi-Fi standard that affects millions of devices

Recently information on 12 vulnerabilities was disclosed which are identified under the code "FragAttacks" affecting various wireless devices and they cover virtually all wireless cards and access points in use, of the 75 devices tested, each affected by at least one of the proposed attack methods.

The problems fall into two categories: 3 vulnerabilities were directly identified in Wi-Fi standards and cover all devices that support current IEEE 802.11 standards (issues have been tracked since 1997).

9 vulnerabilities refer to bugs and flaws in specific implementations of wireless stacks. The main danger is the second category, since the organization of attacks on flaws in the standards requires specific scenarios or the execution of certain actions by the victim.

All vulnerabilities appear regardless of the use of protocols to ensure Wi-Fi security, even when using WPA3, as most of the identified attack methods allow an attacker to perform L2 frame replacement on a protected network, making it possible to block victim traffic .

DNS response spoofing to direct the user to the attacker's host is mentioned as the most realistic attack scenario. It also provides an example of using vulnerabilities to bypass the address translator on a wireless router and provide direct access to a device on a local network or bypass firewall restrictions.

The second part of the vulnerabilities, which is related to the processing of fragmented frames, allows you to extract data about the traffic in the wireless network and intercept the transmitted user data without using encryption.

A researcher has prepared a demonstration showing how vulnerabilities can be used to intercept a transmitted password when accessing a website over HTTP without encryption, it also shows how to attack a smart plug, controlled via Wi-Fi, and use it to continue the attack on outdated devices on the local network that have unpatched vulnerabilities (for example, it was possible to attack a Windows 7 computer without updating on the internal network via NAT traversal).

To take advantage of vulnerabilities, an attacker must be within range of the wireless device aim to send a set of specially designed frames to the victim.

Issues affect both client devices and wireless cardsas well as Wi-Fi access points and routers. In general, HTTPS in combination with encryption of DNS traffic using DNS over TLS or DNS over HTTPS is sufficient as a workaround for protection. VPN is also suitable for protection.

The most dangerous are four vulnerabilities in wireless device implementations that allow trivial methods to achieve substitution of their unencrypted frames:

  • Vulnerabilities CVE-2020-26140 and CVE-2020-26143 allow framing on some access points and wireless cards on Linux, Windows, and FreeBSD.
  • Vulnerability CVE-2020-26145 allows unencrypted stream chunks to be treated as full frames on macOS, iOS, and FreeBSD and NetBSD.
  • Vulnerability CVE-2020-26144 enables processing of unencrypted reassembled A-MSDU frames with EtherType EAPOL on Huawei Y6, Nexus 5X, FreeBSD and LANCOM AP.

Other implementation vulnerabilities are mainly related to problems in handling fragmented frameworks:

  • CVE-2020-26139: allows forwarding of EAPOL marked frames sent by unauthenticated sender (affects 2/4 verified access points, NetBSD and FreeBSD solutions).
  • CVE-2020-26146- Allows you to reassemble encrypted fragments without checking the order of the sequence numbers.
  • CVE-2020-26147- Allows reassembly of mixed encrypted and unencrypted fragments.
  • CVE-2020-26142: Allows fragmented frames to be treated as full frames (affects the OpenBSD and ESP12-F wireless module).
  • CVE-2020-26141: Missing TKIP MIC check for fragmented frames.

Of the other problems identified:

  • CVE-2020-24588: An aggregate frame attack that allows a user to be redirected to a malicious DNS server or NAT traversal is mentioned as an example of the attack.
  • CVE-2020-245870- Key mix attack (reassembly of encrypted fragments with different keys is allowed in WPA, WPA2, WPA3 and WEP). The attack allows you to determine the data sent by the client, for example, determine the content of the cookie when accessed via HTTP.
  • CVE-2020-24586 - Fragment Cache Attack (the standards covering WPA, WPA2, WPA3 and WEP do not require the removal of fragments that have already settled in the cache after a new connection to the network). It allows to identify the data sent by the client and to carry out the substitution of their data.

If you want to know more about it, you can consult the following link.


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.