Mathy Vanhoef, a cybersecurity researcher from Belgium has recently discovered a bunch of vulnerabilities and named them “FragAttacks.” And all these flaws are just a blend of fragmentation and aggregation attacks.
The flaws that were discovered, affect the computer systems that have Wi-Fi connectivity, which means that millions of users are at risk.
All these vulnerabilities affect all Wi-Fi security protocols, including the latest WPA3 specs, and the original one, WEP is also in the range.
Mathy claimed that some of these vulnerabilities were present since 1997, and not only that even they also affect all computer systems that were released in the last 24 years with Wi-Fi connectivity.
However, the security expert, Mathy Vanhoef has claimed that it must be borne in mind that most of the flaws are very difficult to exploit.
As most of them will require user interaction, hence, making it very difficult for a threat actor to exploit these flaws and take precedence of them.
Vulnerabilities Detected
The vulnerabilities that are detected are mentioned below, and all the flaws that we have mentioned below have CVSS scores between 4.8 and 6.5.
- CVE-2020-24588: Aggregation attack (accepting non-SPP A-MSDU frames).
- CVE-2020-24587: Mixed key attack (reassembling fragments encrypted under different keys).
- CVE-2020-24586: Fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Accepting plaintext data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
Attack Vectors
Aggregation attack: This flaw exists in the Frame aggregation, and it mainly combines the small frames into large frames to improves the network speed. So, due to this feature, each frame has a header to identify whether it’s combined or not.
But here Mathy Vanhoef claims that there is no protection in the “combined” state header, and that’s why by modifying this header part, an attacker can intercept the traffic.
Mixed key attack: This attack occurs in frame fragmentation, and it is related to the encryption key that is used to divide a large frame into smaller pieces to improve the reliability of the connection.
This encryption key is used as a common encryption key when distributing one frame, but it’s passed from the device side, as on the Wi-Fi connection side there is no process of verifying the encryption key.
So, the fragment will be restored by using the encrypted key, and due to this, the data can be leaked by passing an encryption key that is different from the original encryption key.
Fragment cache attack: This vulnerability exists in the frame fragmentation, here in the memory of Wi-Fi devices the incomplete fragments are left undeleted, and this happen when a client disconnects from the network.
The attackers can place a malicious fragment in the memory of the access point by using this design. That’s why it’s possible to merge the fragment by force that’s sent by the recipient with the malicious fragment.
Demonstration
The below video demonstrates that how the attackers can exploit these flaws:-
Moreover, some of these vulnerabilities are caused by common programming errors, and it has been reinforced that every Wi-Fi product has multiple vulnerabilities.
Some of the discovered vulnerabilities allow hackers to inject code in plain text. Here the biggest risk is that all these flaws can be abused by attackers to attack IoT devices.
Attacking the IoT devices could be the convenient gateway for the threat actors, as IoT devices are rarely updated.
For now, the updates are already made available by many vendors or manufacturers to fix all these vulnerabilities. And under the supervision of the Wi-Fi Alliance and ICASI, all these updates have been prepared.
So, the security analysts have strongly recommended all the user to immediately update their devices with the latest security patches released by their respective manufacturers.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
