A dozen Wi-Fi design and implementation flaws make it possible for miscreants to steal transmitted data and bypass firewalls to attack devices on home networks, according to security researcher Mathy Vanhoef.
On Tuesday, Vanhoef, a postdoctoral researcher in computer security at New York University Abu Dhabi, released a paper titled, "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" [PDF].
Scheduled to be presented later this year at the Usenix Security conference, the paper describes a set of wireless networking vulnerabilities, including three Wi-Fi design flaws and nine implementation flaws.
Vanhoef, who in 2017 along with co-author Frank Piessens identified key reinstallation attacks (KRACKs) on the WPA2 protocol (used to secure Wi-Fi communication), has dubbed his latest research project FragAttacks, which stands for fragmentation and aggregation attacks.
- Microsoft emits more fixes for Exchange Server plus patches for remote-code exec holes in HTTP stack, Visual Studio
- Qualcomm Snapdragon 855 modem code flaw exposed Android smartphones to possible snooping
- JET engine flaws can crash Microsoft's IIS, SQL Server, say Palo Alto researchers
- Signal app's Moxie says it's possible to sabotage Cellebrite's phone-probing tools with booby-trapped file
The dozen vulnerabilities affect all Wi-Fi security protocols since the wireless networking technology debuted in 1997, from WEP up through WPA3.
"One design flaw is in the frame aggregation functionality, and another two are in the frame fragmentation functionality," explains Vanhoef in his paper. "These design flaws enable an adversary to forge encrypted frames in various ways, which in turn enables exfiltration of sensitive data."
He also identified flaws in the way frame aggregation – combining multiple network data frames – and frame fragmentation – splitting network data frames into smaller pieces – are implemented that magnify the impact of potential attacks.
The 802.11 frame aggregation flaw involves flipping an unauthenticated flag in a frame header, which allows the encrypted data payload to get parsed as if it were multiple aggregated frames instead of a simple network packet.
"We abuse this to inject arbitrary frames, and then intercept a victim’s traffic by making it use a malicious DNS server," the paper explains. "Practically all devices that we tested were vulnerable to this attack."
In total, 75 devices – network card and operating system combinations (Windows, Linux, Android, macOS, and iOS) – were tested and all were affected by one or more of the attacks.
NetBSD and OpenBSD were not affected because they don't support the reception of A-MSDUs (aggregate MAC service data units).
Fragging made dangerous
As for the two frame fragmentation design flaws, one has to do with the fact that while all the fragments of a frame are encrypted with the same key, receivers of the data aren't required to verify this. "We show that an adversary can abuse this missing check to forge frames and exfiltrate data by mixing fragments encrypted under different keys," explains Vanhoef in his paper.
The other design flaw has to do with the fact that a frame receiver isn't forced to remove incomplete fragments from memory when connecting to a different network. Vanhoef managed to abuse this by injecting malicious fragments into the fragment cache, which amounts to being able to inject arbitrary packets.
Meanwhile, the various implementation flaws include issues like data receivers not checking whether fragments belong to the same frame, which lets an attacker mix and match forged frames, not checking whether frame fragments are encrypted or not, and manipulating handshake messages to inject plaintext aggregated frames.
To conduct an attack based on these flaws, the adversary has to be within range of the victim and the applicable Wi-Fi access point. The adversary would then have to dupe the victim into some network interaction, like downloading an image from an adversary-controlled server.
Thereafter, the adversary can send a malicious IPv4 packet over the network. The packet gets encrypted as usual, but the adversary will then set a flag so the data will be treated as an aggregated frame, which enables arbitrary packet injection, like a router advertisement to use a malicious DNS server.
Vanhoef has released a tool on GitHub to test whether Wi-Fi clients and access points are vulnerable, and has also published a PoC attack demonstration on YouTube.
The CVEs created as a result of Vanhoef's findings include:
- CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
- CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
- CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Accepting plaintext data frames in a protected network.
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
Patches for many affected devices and software have already been deployed, thanks to a nine-month-long coordinated responsible disclosure overseen by the Wi-Fi Alliance and the Industry Consortium for Advancement of Security on the Internet (ICASI).
Linux patches have been applied and the kernel mailing list note mentions that Intel has addressed the flaws in a recent firmware update without mentioning it. Microsoft released its patches on March 9, 2021 when disclosure was delayed tho Redmond had already committed to publication.
Vanhoef advises checking with the vendor(s) of Wi-Fi devices about whether the FragAttacks have been addressed. "[F]or some devices the impact is minor, while for others it's disastrous," he said. ®