Patched Wi-Fi Vulnerabilities Posed Risks to All UsersResearcher: If Exploited, an Attacker at Close Range Could Inject Malicious Code
A Belgian security researcher says he uncovered vulnerabilities that affect all modern Wi-Fi security protocols and most wirelessly connected devices, including smartphones, routers and IoT devices. Many tech companies have fixed the flaws to avoid leaks of user data.
If exploited, these fragmentation and aggregation attacks - FragAttacks - could enable attackers to steal data if they are in close range of target devices and are able to run malicious code to compromise a device, whether it's a computer, smartphone or other IoT device, says Mathy Vanhoef, the Belgian researcher at New York University Abu Dhabi who discovered the flaws.
The vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3 specification and the original security protocol of Wi-Fi, called WEP, Vanhoef says.
“Several of the newly discovered design flaws have been part of Wi-Fi since its release in 1997,” Vanhoef says. “Fortunately, the design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings."
There are two design flaws in a feature of Wi-Fi that was previously not widely studied, and a proposed feature that was not adopted could have prevented one of the design flaws, Vanhoef says. He notes in a white paper: "This shows it stays important to analyze even the most well-known security protocols."
Vanhoef helped write patches for the Linux kernel and provided advice for technology manufacturers working on Wi-Fi security updates during a nine-month coordinated disclosure period supervised by the Wi-Fi Alliance and the Industry Consortium for Advancement of Security on the Internet. This enabled technology companies supplying Wi-Fi-enabled products, including Microsoft, Intel, Samsung, Cisco, Ruckus, Lenovo, Netgear and Synology, to quietly release patches, Vanhoef notes.
"Security researchers identified vulnerabilities in the frame aggregation functionality of some Wi-Fi devices," the Wi-Fi Alliance said in a statement. "There is no evidence of the vulnerabilities being used against Wi-Fi users maliciously, and these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices."
Erich Kron, security awareness advocate at KnowBe4, notes: "Due to the overwhelming number of devices this will impact, the vulnerabilities will likely be around for some time and active exploits are likely to be spotted in the wild."
Andy Norton, European cyber risk officer at security firm Armis, adds: “Having a total picture of the devices that comprise your attack surface is becoming increasingly important to insure no blind spots become the entry point for future intrusions.”
Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard, so they affect most devices. Several others are caused by widespread programming mistakes in Wi-Fi products. Experiments indicate that virtually all Wi-Fi products are affected by at least one vulnerability and that most products are affected by several vulnerabilities, Vanhoef says.
Several plain-text injection vulnerabilities were identified. An attacker could inject an unencrypted Wi-Fi frame by carefully constructing this frame to intercept a client's traffic by tricking the client into using a malicious DNS server, the researcher says. This method can be used to bypass Network Address Translation, or NAT, firewalls, allowing the adversary to subsequently attack devices in the local Wi-Fi network.
Certain Wi-Fi devices accept any unencrypted frame even when connected to a protected Wi-Fi network. The researcher says this means the attacker wouldn't have to do anything special to construct unencrypted Wi-Fi frames so that they are accepted by a vulnerable device.
The standard plain-text injection vulnerabilities that allow injection of plain-text frames in a protected Wi-Fi network are assigned the following CVEs:
- CVE-2020-26140: Accepting plain-text data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plain-text data frames in a protected network.
- CVE-2020-26144: Accepting plain-text A-MSDU frames that start with an RFC1042 header with EtherType EAPOL in an encrypted network.
- CVE-2020-26145: Accepting plain-text broadcast fragments as full frames in an encrypted network.
There is also a design flaw in the frame fragmentation feature of Wi-Fi, which is intended to increase the reliability of a connection by splitting large frames into smaller fragments, Vanhoef says.
"Every fragment that belongs to the same frame is encrypted using the same key. However, receivers are not required to check this and will reassemble fragments that were decrypted using different keys. Under rare conditions this can be abused to exfiltrate data," he explains.
Another frame fragmentation design flaw is that whenever a client disconnects from the network, the Wi-Fi device is not required to remove non-reassembled fragments from memory, which can be abused against hot spot-like networks such as eduroam and govroam and against enterprise networks where users distrust each other.
Selected data sent by the victim can also be exfiltrated, Vanhoef notes. "This is achieved by injecting a malicious fragment in the memory of the access point. When the victim then connects to the access point and sends a fragmented frame, selected fragments will be combined with the injected fragment of the adversary," he says.
Wi-Fi standard design flaws are assigned the following CVEs:
- CVE-2020-24586: Fragment cache attack, which means not clearing fragments from memory when reconnecting to a network.
- CVE-2020-24587: Mixed key attack, which involves reassembling fragments encrypted under different keys.
- CVE-2020-24588: Aggregation attack, which involves accepting non-SPP A-MSDU frames.
Other Implementation Flaws
Some routers will forward handshake frames to another client before the sender has authenticated them, which allows an adversary to perform an aggregation attack and inject arbitrary frames without user interaction, the researcher says.
Another flaw is that receivers do not check whether all fragments belong to the same frame, allowing an adversary to forge frames by mixing the fragments of two different frames, and in several implementations, encrypted and plain text fragments can be mixed, Vanhoef says.
Many devices that do not support fragmentation or aggregation are still vulnerable to attacks because they process fragmented frames as full frames, which can be abused to inject packets, he notes.
Earlier, Vanhoef and his team discovered the key reinstallation attacks, or KRACK, that exploit a vulnerability in Wi-Fi Protected Access II (WPA2).