FragAttacks: All Wi-Fi Devices back to 1997 are Vulnerable
The vulnerabilities, dubbed Frag Attacks, allow an attacker within range of a Wi-Fi device to collect information about the owner of the device and run malicious code in order to compromise a computer, smartphone, or any other smart device. Devices remain vulnerable even with WEP and WPA security standards enabled.
Three out of twelve vulnerabilities are design flaws and therefore affect most devices. The rest of the vulnerabilities exist due to common programming errors made during the implementation of the Wi-Fi standard. Each device has at least one Frag Attacks vulnerability, but most devices have several.
The researcher announced his discovery of the WiFi Alliance, and over the past nine months, the organization has been working on adjusting its standards and guidelines, and has also worked with electronics manufacturers to prepare patches for the firmware.
WiFi standard design flaws:
- CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
- CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
- CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
WiFi standard implementation flaws:
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Accepting plaintext data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
Other implementation flaws:
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
As for the technical side, a research paper is also available [PDF]. According to Vanhoef, the core issue at the heart of the Frag Attacks is how the WiFi standard breaks and then reassembles network packets, allowing threat actors to introduce their own malicious code into legitimate content during this operation.