A few years ago, in 2017, researchers Mathy Vanhoef and Frank Piessens published a whitepaper showcasing serious vulnerabilities within practically all modern protected Wi-Fi networks. The vulnerabilities lie within the Wi-Fi standard itself and are exploited using Key Reinstallation Attacks (KRACKs). These attacks primarily target the 4-way handshake of the WPA2 protocol – the current Wi-Fi protection standard at the time – and allow an attacker to steal sensitive information in transit, even if the information is encrypted via HTTPS (in some situations).
Most access point vendors have since patched vulnerabilities associated with KRACKs. However, fast-forward to today and Mathy Vanhoef has unveiled another series of attacks affecting modern Wi-Fi access points dubbed “FragAttacks”. FragAttacks, or Fragmentation and Aggregation Attacks, are a collection of vulnerabilities within all modern security protocols of Wi-Fi, including the current WPA3 specification. Vanhoef explains that these vulnerabilities have existed since the inception of Wi-Fi security protocols in 1997 with the WEP standard.
There are numerous attacks described in the FragAttacks whitepaper. Thankfully, Vanhoef provides a list of applicable CVEs associated with his findings. The list of CVEs (taken from his website) can be seen below:
- CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
- CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
- CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
Implementation vulnerabilities that allow the trivial injection of plaintext frames in a protected Wi-Fi network are assigned the following CVEs:
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Accepting plaintext data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
Other implementation flaws are assigned the following CVEs:
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
Vanhoef states that most of the vulnerabilities can be remediated by implementing HSTS to use HTTPS on websites. Although, applying the latest security patches from your Wi-Fi access point vendor will apply fixes for all the CVEs listed above. That is, if your access point vendor has created and pushed those patches out.
A note for current WatchGuard customers:
WatchGuard is currently evaluating patches for all WatchGuard access points and will release these fixes as soon as they are available. Ensure HSTS is implemented on all websites to remediate most of these vulnerabilities in the meantime, if applicable.
External Resources and Documents:
FragAttacks Website: https://www.fragattacks.com/
FragAttacks Demo: https://www.youtube.com/watch?v=88YZ4061tYw&feature=emb_imp_woyt
FragAttacks Whitepaper: https://papers.mathyvanhoef.com/usenix2021.pdf
FragAttacks Overview Whitepaper: https://papers.mathyvanhoef.com/fragattacks-overview.pdf
Aggregation Attack CVE-2020-24588 PowerPoint Slides Overview: https://papers.mathyvanhoef.com/fragattacks-slides-amsdu.pdf
Detailed Slides of Each Vulnerability: https://papers.mathyvanhoef.com/fragattacks-slides-2021-03-8.pdf
Root-Cause Analysis Slide for FragAttacks: https://papers.mathyvanhoef.com/fragattacks-slides-summary-2021-03-8.pdf
FragAttacks Discovery Tools: https://github.com/vanhoefm/fragattacks
FragAttacks Live USB Image Discover Tool: https://github.com/vanhoefm/fragattacks#id-live-image
FragAttacks Black Hat USA 2021 Schedule Presentation: https://blackhat.com/us-21/briefings/schedule/index.html#fragattacks-breaking-wi-fi-through-fragmentation-and-aggregation-23518
FragAttacks USENIX Security Pre-Recording: https://www.youtube.com/watch?v=OJ9nFeuitIU&feature=emb_imp_woyt
HSTS Overview: https://www.secplicity.org/2019/11/05/hsts-a-trivial-response-to-sslstrip/
KRACK Attacks: https://www.krackattacks.com/
Leave a Reply