Recently discovered (Fragmentation and aggregation attacks) FragAttacks vulnerabilities were exposed to almost every Wi-Fi device to cyber attacks. Three IEEE 802.11 design flaws and several other implementation flaws made Wi-Fi devices subjected to serious attacks like network packet injection, device control, and user data exfiltration. According to the research, almost all Wi-Fi devices are vulnerable to at least one vulnerability, and most of the devices are affected by several vulnerabilities. These vulnerabilities have affected security protocols from Wired Equivalent Privacy (WEP) all the way to Wi-Fi Protected Access 3 (WPA3), which is considered the most secure authentication Wi-Fi protocol. Therefore FragAttack has put all the Wi-Fi devices at risk. Fortunately, FragAttacks vulnerabilities have not been seen exploiting Wi-Fi devices in the wild. Despite that, we would like to show how FragAttacks vulnerabilities can be exploited.
Reasons For Successful FragAttacks Vulnerability Exploitation:
Devices Connected To The Wi-Fi Network Should:
- Accept any unencrypted frame even when connected to a protected Wi-Fi network.
- Accept plaintext aggregated frames that look like handshake messages.
- Accept broadcast fragments even when sent unencrypted.
- Accept frames in which the “is aggregated” flag is not authenticated.
- Accept reassemble fragments that were decrypted using different keys.
- Have the Wi-Fi device is not required to remove non-reassembled fragments from memory.
Summary Of FragAttacks Vulnerabilities:
Twelve vulnerabilities were collectively called as FragAttacks. Two of them are aggregated design flaws, and one is a fragmented design flaw found in the IEEE 802.11 protocol standard itself. Therefore, they make it vulnerable to almost every Wi-Fi device. And remaining nine vulnerabilities are due to implementation flaws in the protocol.
The Associated CVEs Are As Follows:
FragAttacks Design Vulnerabilities:
- CVE-2020-24588: Accepting non-SPP A-MSDU frames.
- CVE-2020-24587: Reassembling fragments encrypted under different keys.
- CVE-2020-24586: Not clearing fragments from memory when (re)connecting to a network.
FragAttacks Implementation Vulnerabilities Allowing Trivial Packet Injection
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Accepting plaintext data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
Other FragAttacks Implementation Vulnerabilities
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated.
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
The motive Behind Exploiting FragAttack Vulnerabilities
The Wi-Fi FragAttack vulnerabilities can be used in two ways:
- To steal sensitive data like usernames and passwords.
- To control devices in someone’s home network.
How Can FragAttacks Vulnerabilities Be Exploited?
Design FragAttack Flaws:
- The attacker creates a malicious DNS server.
- The attacker clones the Wi-Fi network on a different channel so that when a new client comes alive, it tries to connect malicious DNS.
- Then, the attacker targets a weak client and trick the client into connecting to his server using any phishing/social engineering attacks.
- Once the client connects with the attacker’s server, the attacker will inject a malicious unencrypted TCP frame.
- The attacker has had created the malicious TCP packet so that when it turned it into an aggregated Wi-Fi frame, it causes an injection attack and tricks the client into using the attacker’s malicious DNS server.
- During the interception, the attacker detects the malicious TCP packet by its length and sets the aggregated flag in the Wi-Fi header before sending the client.
- Due to the design flaw client will process the modified aggregated frame and starts using malicious DNS.
- When the victim visits any insecure websites, malicious DNS will take the user to an impersonated website. When the victim supplies a username and password for login, the attacker will capture the credentials.
Implementation FragAttack Flaws:
The attacker creates a hole in the router using the implementations flaws so that he can connect the local devices running behind the internet.
- An attacker identifies a week clients like IoT devices and gets the MAC address of the client.
- The attacker injects a plaintext malicious aggregated Wi-Fi frame into the network that looks like a handshake message.
- The client accepts and processes the malicious frame even it is unencrypted. This allows the attacker to sneak the TCP packets inside the aggregated frames.
- The TCP packet punches a hole in the router’s firewall and lets the attacker learn about the public IP address and port number of the locally connected victim.
- Once the attacker has the IP and port information, he can use the available product’s exploits to take control over the client device,
Tools To Test FragAttacks Vulnerabilities:
- A free tool to test FragAttacks is made public on the Git platform. The tool supports 45 test cases that require modified drivers in order to test for the discovered vulnerabilities.
- A live USB image with pre-installed modified drivers, modified firmware for certain USB dongles, and a pre-configured python environment that requires running the tool. If you cannot install the modified drivers natively on the operating system, use the live image. But, you may run across some issues if you use the image as a virtual machine because of unsupported network cards.
Devices Affected By FragAttacks Vulnerabilities:
Since the research paper has made public on May 11, 2021, Vendors have started analyzing their products and rolling out patches. It is difficult for us to track the thousands of products here. So we have shared the weblinks of various Vendors where you can see the latest updates on the FragAttacks Vulnerabilities.
- Cisco Systems:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu
- HPE/Aruba Networkshttps://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-011.txt
- Juniper Networks: https://kb.juniper.net/JSA11170
- Sierra Wireless:https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin—swi-psa-2021-003
- Wi-Fi Alliance:https://www.wi-fi.org/security-update-fragmentation
- Arista: https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63
- Canonical (Ubuntu): https://ubuntu.com/security/CVE-2020-24587
- Debian: https://security-tracker.debian.org/tracker/CVE-2020-24587
- Dell: https://www.dell.com/support/kbdoc/en-in/000186331/dsa-2021-100-dell-client-platform-security-update-for-intel-wifi-software-vulnerabilitiesdsa-2021-100-dell-client-platform-security-update-for-intel-wifi-software-vulnerabilities
- Intel: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html
- Lenovo: https://support.lenovo.com/in/en/product_security/len-57316
- NETGEAR: https://kb.netgear.com/000063666/Security-Advisory-for-Fragment-and-Forge-vulnerabilities-on-some-WiFi-capable-devices-PSV-2021-0014-PSV-2021-0080
- RUCKUS: https://support.ruckuswireless.com/fragattacks-ruckus-technical-support-response-center
- Synology: https://www.synology.com/tr-tr/security/advisory/Synology_SA_21_20
- SUSE: https://www.suse.com/support/kb/doc/?id=000020244
- Wi-Fi Alliance: https://www.wi-fi.org/security-update-fragmentation
- Zyxel: https://il.zyxel.com/support/Zyxel_security_advisory_for_FragAttacks_against_WiFi_products.shtml
- Eero: https://blog.eero.com/fragattacks-fragmentation-aggregation-and-attacks-update-available-for-all-eero-customers/
- Lancom: https://www.lancom-systems.com/service-support/instant-help/general-security-information/
- Linux Wireless: https://lore.kernel.org/linux-wireless/[email protected]/
- Mist: https://www.mist.com/documentation/mist-security-advisory-fragattacks-and-faq
- SAMSUNG: https://security.samsungmobile.com/securityUpdate.sms
Possible Workarounds For FragAttacks Vulnerabilities If Your Products Haven’t Released The Patch
One thing we want to clear is you can mitigate FragAttacks by following these workarounds, but you can’t completely prevent the attack.
- Use only HTTPS secure protocol for browsing. If possible, install HTTPS everywhere plugin on your browsers that enforce HTTPS wherever the destination site supports it.
- Follow all the general guidelines. Read secrets to secure the Wi-Fi network for more tips to secure the Wi-Fi Network:
- Update your devices.
- Don’t reuse your passwords.
- Backup all important data.
- Don’t visit shady websites.
- Enable network encryption:
- Filter the MAC addresses:
- Reducing the wireless signal range:
- Upgrade the router’s firmware:
- As a temporary workaround solution, you can mitigate the fragmentation attacks by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.
Thanks for reading this article. Please share this information with others and create awareness about the FragAttacks vulnerabilities.