• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • Daily Security Bytes
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

WiFi FragAttacks

May 26, 2021 By Ryan Estes

WiFi Lock

A few years ago, in 2017, researchers Mathy Vanhoef and Frank Piessens published a whitepaper showcasing serious vulnerabilities within practically all modern protected Wi-Fi networks. The vulnerabilities lie within the Wi-Fi standard itself and are exploited using Key Reinstallation Attacks (KRACKs). These attacks primarily target the 4-way handshake of the WPA2 protocol – the current Wi-Fi protection standard at the time – and allow an attacker to steal sensitive information in transit, even if the information is encrypted via HTTPS (in some situations).

Most access point vendors have since patched vulnerabilities associated with KRACKs. However, fast-forward to today and Mathy Vanhoef has unveiled another series of attacks affecting modern Wi-Fi access points dubbed “FragAttacks”. FragAttacks, or Fragmentation and Aggregation Attacks, are a collection of vulnerabilities within all modern security protocols of Wi-Fi, including the current WPA3 specification. Vanhoef explains that these vulnerabilities have existed since the inception of Wi-Fi security protocols in 1997 with the WEP standard.

There are numerous attacks described in the FragAttacks whitepaper. Thankfully, Vanhoef provides a list of applicable CVEs associated with his findings. The list of CVEs (taken from his website) can be seen below:

  • CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
  • CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
  • CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).

Implementation vulnerabilities that allow the trivial injection of plaintext frames in a protected Wi-Fi network are assigned the following CVEs:

  • CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
  • CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
  • CVE-2020-26140: Accepting plaintext data frames in a protected network.
  • CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.

Other implementation flaws are assigned the following CVEs:

  • CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
  • CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
  • CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
  • CVE-2020-26142: Processing fragmented frames as full frames.
  • CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.

 

Vanhoef states that most of the vulnerabilities can be remediated by implementing HSTS to use HTTPS on websites. Although, applying the latest security patches from your Wi-Fi access point vendor will apply fixes for all the CVEs listed above. That is, if your access point vendor has created and pushed those patches out.

 

A note for current WatchGuard customers:

WatchGuard is currently evaluating patches for all WatchGuard access points and will release these fixes as soon as they are available. Ensure HSTS is implemented on all websites to remediate most of these vulnerabilities in the meantime, if applicable.

 

External Resources and Documents:

FragAttacks Website: https://www.fragattacks.com/

FragAttacks Demo: https://www.youtube.com/watch?v=88YZ4061tYw&feature=emb_imp_woyt

FragAttacks Whitepaper: https://papers.mathyvanhoef.com/usenix2021.pdf

FragAttacks Overview Whitepaper: https://papers.mathyvanhoef.com/fragattacks-overview.pdf

Aggregation Attack CVE-2020-24588 PowerPoint Slides Overview: https://papers.mathyvanhoef.com/fragattacks-slides-amsdu.pdf

Detailed Slides of Each Vulnerability: https://papers.mathyvanhoef.com/fragattacks-slides-2021-03-8.pdf

Root-Cause Analysis Slide for FragAttacks: https://papers.mathyvanhoef.com/fragattacks-slides-summary-2021-03-8.pdf

FragAttacks Discovery Tools: https://github.com/vanhoefm/fragattacks

FragAttacks Live USB Image Discover Tool: https://github.com/vanhoefm/fragattacks#id-live-image

FragAttacks Black Hat USA 2021 Schedule Presentation: https://blackhat.com/us-21/briefings/schedule/index.html#fragattacks-breaking-wi-fi-through-fragmentation-and-aggregation-23518

FragAttacks USENIX Security Pre-Recording: https://www.youtube.com/watch?v=OJ9nFeuitIU&feature=emb_imp_woyt

HSTS Overview: https://www.secplicity.org/2019/11/05/hsts-a-trivial-response-to-sslstrip/

KRACK Attacks: https://www.krackattacks.com/

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • USA’s Answer to GDPR
  • Rolling PWN

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Private Sector Offensive Actors
  • USA’s Answer to GDPR
  • Rolling PWN
  • Over a Billion Records Leaked in Shanghai National Police Database Hack
  • LockBit Ransomware Group Introduces Bug Bounties and More
View All

Search

Archives

Copyright © 2022 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use