Monday, September 9, 2024
HomeCVE/vulnerabilityFragAttacks - New Security Vulnerabilities Affect Billions of Wi-Fi Devices

FragAttacks – New Security Vulnerabilities Affect Billions of Wi-Fi Devices

Published on

Mathy Vanhoef, a cybersecurity researcher from Belgium has recently discovered a bunch of vulnerabilities and named them “FragAttacks.” And all these flaws are just a blend of fragmentation and aggregation attacks.

The flaws that were discovered, affect the computer systems that have Wi-Fi connectivity, which means that millions of users are at risk.

All these vulnerabilities affect all Wi-Fi security protocols, including the latest WPA3 specs, and the original one, WEP is also in the range.

- Advertisement - EHA

Mathy claimed that some of these vulnerabilities were present since 1997, and not only that even they also affect all computer systems that were released in the last 24 years with Wi-Fi connectivity.

However, the security expert, Mathy Vanhoef has claimed that it must be borne in mind that most of the flaws are very difficult to exploit. 

As most of them will require user interaction, hence, making it very difficult for a threat actor to exploit these flaws and take precedence of them.

Vulnerabilities Detected

The vulnerabilities that are detected are mentioned below, and all the flaws that we have mentioned below have CVSS scores between 4.8 and 6.5.

  • CVE-2020-24588: Aggregation attack (accepting non-SPP A-MSDU frames).
  • CVE-2020-24587: Mixed key attack (reassembling fragments encrypted under different keys).
  • CVE-2020-24586: Fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
  • CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
  • CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
  • CVE-2020-26140: Accepting plaintext data frames in a protected network.
  • CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
  • CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
  • CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
  • CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
  • CVE-2020-26142: Processing fragmented frames as full frames.
  • CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.

Attack Vectors

Aggregation attack: This flaw exists in the Frame aggregation, and it mainly combines the small frames into large frames to improves the network speed. So, due to this feature, each frame has a header to identify whether it’s combined or not. 

But here Mathy Vanhoef claims that there is no protection in the “combined” state header, and that’s why by modifying this header part, an attacker can intercept the traffic.

Mixed key attack: This attack occurs in frame fragmentation, and it is related to the encryption key that is used to divide a large frame into smaller pieces to improve the reliability of the connection. 

This encryption key is used as a common encryption key when distributing one frame, but it’s passed from the device side, as on the Wi-Fi connection side there is no process of verifying the encryption key.

So, the fragment will be restored by using the encrypted key, and due to this, the data can be leaked by passing an encryption key that is different from the original encryption key.

Fragment cache attack: This vulnerability exists in the frame fragmentation, here in the memory of Wi-Fi devices the incomplete fragments are left undeleted, and this happen when a client disconnects from the network.

fragattacks

The attackers can place a malicious fragment in the memory of the access point by using this design. That’s why it’s possible to merge the fragment by force that’s sent by the recipient with the malicious fragment.

Demonstration

The below video demonstrates that how the attackers can exploit these flaws:-

Moreover, some of these vulnerabilities are caused by common programming errors, and it has been reinforced that every Wi-Fi product has multiple vulnerabilities.

Some of the discovered vulnerabilities allow hackers to inject code in plain text. Here the biggest risk is that all these flaws can be abused by attackers to attack IoT devices.

Attacking the IoT devices could be the convenient gateway for the threat actors, as IoT devices are rarely updated.

For now, the updates are already made available by many vendors or manufacturers to fix all these vulnerabilities. And under the supervision of the Wi-Fi Alliance and ICASI, all these updates have been prepared.

So, the security analysts have strongly recommended all the user to immediately update their devices with the latest security patches released by their respective manufacturers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Vulnerabilities in IBM Products Let Attackers Exploit & Launch DOS Attack

IBM has issued a security bulletin addressing critical vulnerabilities in its MQ Operator and...

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

SonicWall Access Control Vulnerability Exploited in the Wild

SonicWall has issued an urgent advisory regarding a critical vulnerability in its SonicOS management...

Apache OFBiz for Linux & Windows Vulnerability Allows Unauthenticated Remote Code Execution

A series of vulnerabilities affecting Apache OFBiz has come to light, raising significant cybersecurity...

Veeam Backup & Replication Vulnerabilities Let Attackers Execute Remote Code

Multiple critical vulnerabilities have been identified in Veeam Backup & Replication, a widely-used data...