Recently discovered (Fragmentation and aggregation attacks) FragAttacks vulnerabilities were exposed to almost every Wi-Fi device to cyber attacks. Three IEEE 802.11 design flaws and several other implementation flaws made Wi-Fi devices subjected to serious attacks like network packet injection, device control, and user data exfiltration. According to the research, almost all Wi-Fi devices are vulnerable to at least one vulnerability, and most of the devices are affected by several vulnerabilities. These vulnerabilities have affected security protocols from Wired Equivalent Privacy (WEP) all the way to Wi-Fi Protected Access 3 (WPA3), which is considered the most secure authentication Wi-Fi protocol. Therefore FragAttack has put all the Wi-Fi devices at risk. Fortunately, FragAttacks vulnerabilities have not been seen exploiting Wi-Fi devices in the wild. Despite that, we would like to show how FragAttacks vulnerabilities can be exploited.
Reasons for Successful FragAttacks Vulnerability Exploitation:
Devices Connected to the Wi-Fi Network Should:
- Accept any unencrypted frame even when connected to a protected Wi-Fi network.
- Accept plaintext aggregated frames that look like handshake messages.
- Accept broadcast fragments even when sent unencrypted.
- Accept frames in which the “is aggregated” flag is not authenticated.
- Accept reassemble fragments that were decrypted using different keys.
- Have the Wi-Fi device is not required to remove non-reassembled fragments from memory.
Summary of FragAttacks Vulnerabilities:
Twelve vulnerabilities were collectively called as FragAttacks. Two of them are aggregated design flaws, and one is a fragmented design flaw found in the IEEE 802.11 protocol standard itself. Therefore, they make it vulnerable to almost every Wi-Fi device. And remaining nine vulnerabilities are due to implementation flaws in the protocol.
The Associated CVEs Are As Follows:
FragAttacks Design Vulnerabilities:
- CVE-2020-24588: Accepting non-SPP A-MSDU frames.
- CVE-2020-24587: Reassembling fragments encrypted under different keys.
- CVE-2020-24586: Not clearing fragments from memory when (re)connecting to a network.
FragAttacks Implementation Vulnerabilities Allowing Trivial Packet Injection
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Accepting plaintext data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
Other FragAttacks Implementation Vulnerabilities
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated.
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
The motive Behind Exploiting FragAttack Vulnerabilities
The Wi-Fi FragAttack vulnerabilities can be used in two ways:
- To steal sensitive data like usernames and passwords.
- To control devices in someone’s home network.