The Industry Consortium for Advancement of Security on the Internet (ICASI) today announces the coordinated disclosure of a series of vulnerabilities related to the functionality of some Wi-Fi devices. We would like to thank Mathy Vanhoef (New York University Abu Dhabi) for identifying these issues, reporting them to industry and participating in the coordinated disclosure of these issues.
If exploited, these vulnerabilities could result in data exfiltration. The associated CVEs are as follows:
CVE-2020-24586 – Not clearing fragments from memory when (re)connecting to a network
CVE-2020-24587 – Reassembling fragments encrypted under different keys
CVE-2020-24588 – Accepting non-SPP A-MSDU frames
CVE-2020-26139 – Forwarding EAPOL frames even though the sender is not yet authenticated
CVE-2020-26140 – Accepting plaintext data frames in a protected network
CVE-2020-26141 – Not verifying the TKIP MIC of fragmented frames
CVE-2020-26142 – Processing fragmented frames as full frames
CVE-2020-26143 – Accepting fragmented plaintext data frames in a protected network
CVE-2020-26144 – Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network)
CVE-2020-26145 – Accepting plaintext broadcast fragments as full frames (in an encrypted network)
CVE-2020-26146 – Reassembling encrypted fragments with non-consecutive packet numbers
CVE-2020-26147 – Reassembling mixed encrypted/plaintext fragments
You can view Mathy’s research paper here.
Additional information can also be found here: https://fragattacks.com.
ICASI would like to thank our members and partners and all the companies who participated with us in the coordinated disclosure. We especially commend Wi-Fi Alliance for all their assistance. Thanks to this coordinated effort, companies have already begun developing patches to mitigate these vulnerabilities. Organizations are encouraged to deploy these patches as they are released. You can find links to advisories from Wi-Fi Alliance, ICASI members, and ICASI partners below.
Juniper Networks: https://kb.juniper.net/JSA11170