A new set of vulnerabilities with an aggressive name and their own website almost always bodes ill. The name FragAttack is a contraction of fragmentation and aggregation attacks, which immediately indicates the main area where the vulnerabilities were found.
The vulnerabilities are mostly in how Wi-Fi and connected devices handle data packets, and more particularly in how they handle fragments and frames of data packets. As far as the researcher is aware every Wi-Fi product is affected by at least one vulnerability.
The researcher that uncovered the Wi-Fi vulnerabilities, some of which have existed since 1997, is Mathy Vanhoef. The vulnerabilities he discovered affect all modern Wi-Fi security protocols, including the latest WPA3 specification. You may remember Vanhoef as one of the researchers behind the KrackAttacks weaknesses in the WPA2 protocol. As Vanhoef puts it:
“it stays important to analyze even the most well-known security. Additionally, it shows that it’s essential to regularly test Wi-Fi products for security vulnerabilities, which can for instance be done when certifying them.”
In each network, there is a maximum size to the chunks of data that can be transmitted on a network layer, called the MTU (Maximum Transmission Unit). Packets can often be larger than this maximum size, so to fit inside the MTU limit each packet can be divided into smaller pieces of data, called fragments. These fragments are later re-assembled to reconstruct the original message.
Wi-Fi networks can use this packet fragmentation to improve throughput. By fragmenting data packets and sending more, but shorter frames, each transmission will have a lower probability of collision with another packet. So, if the content of a message is too large to fit inside a single packet, the content is spread across several fragments, each with its own header.
Just like packets, frames are small parts of a message in the network. A frame helps to identify data and determine the way it should be decoded and interpreted. The main difference between a packet and a frame is the association with the OSI layers. While a packet is the unit of data used in the network layer, a frame is the unit of data used on the layer below it in the OSI model’s data link layer. A frame contains more information about the transmitted message than a packet.
The researcher found several implementation flaws that can be abused to easily inject frames into a protected Wi-Fi network. These vulnerabilities can be grouped as follows:
- Some Wi-Fi devices accept any unencrypted frame even when connected to a protected Wi-Fi network.
- Certain devices accept plaintext aggregated frames that look like handshake messages.
- Worse than those, some devices accept broadcast fragments even when sent unencrypted.
Design flaws in the Wi-Fi feature that handling frames
- The frame aggregation feature of Wi-Fi uses an “is aggregated” flag that is not authenticated and can be modified by an adversary.
- Another design flaw is in the frame fragmentation feature of Wi-Fi. Receivers are not required to check whether every fragment that belongs to the same frame is encrypted with the same key and will reassemble fragments that were decrypted using different keys.
- The third design flaw is also in Wi-Fi’s frame fragmentation feature. When a client disconnects from the network, the Wi-Fi device is not required to remove non-reassembled fragments from memory.
A few other implementation vulnerabilities that can be used to escalate the flaws mentioned above.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Although each affected codebase normally receives a unique CVE, the agreement between affected vendors was that, in this specific case, using the same CVE across different codebases would make communication easier.
The design flaws were assigned the following CVEs:
- CVE-2020-24588: Aggregation attack (accepting non-SPP A-MSDU frames).
- CVE-2020-24587: Mixed key attack (reassembling fragments encrypted under different keys).
- CVE-2020-24586: Fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
Implementation vulnerabilities that allow the trivial injection of plaintext frames in a protected Wi-Fi network were assigned these CVEs:
- CVE-2020-26145: Samsung Galaxy S3 accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26144: Samsung Galaxy S3 accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26140: Alfa Windows 10 driver for AWUS036H accepting plaintext data frames in a protected network.
- CVE-2020-26143: Alfa Windows 10 driver 1030.36.604 for AWUS036ACH accepting fragmented plaintext data frames in a protected network.
Other implementation flaws are assigned the following CVEs:
- CVE-2020-26139: NetBSD forwarding EAPOL frames even though the sender is not yet authenticated.
- CVE-2020-26146: Samsung Galaxy S3 reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Linux kernel 5.8.9 reassembling mixed encrypted/plaintext fragments.
- CVE-2020-26142: OpenBSD 6.6 kernel processing fragmented frames as full frames.
- CVE-2020-26141: ALFA Windows 10 driver for AWUS036H not verifying the TKIP MIC of fragmented frames.
On the dedicated site the researcher states that
“experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.”
The statement is based on testing more than 75 devices, which showed they were all vulnerable to one or more of the discovered attacks.
To mitigate attacks where your router’s NAT/firewall is bypassed and devices are directly attacked, you must assure that all your devices will need to be updated. Unfortunately, not all products get regular updates.
Using a VPN can prevent attacks where an adversary is trying to exfiltrate data. It will not prevent an adversary from bypassing your router’s NAT/firewall to directly attack devices.
The impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned.
Graveness of the vulnerabilities
We have been here before. When the KRACK vulnerabilities were revealed a few years ago some people treated it as if it was the end of Wi-Fi. You’ll have noticed it wasn’t. That doesn’t mean it was nothing, either, but a little perspective goes a long way.
The CVEs registered to the FragAttacks have been given a medium severity rating and have CVSS scores sitting between 4.8 to 6.5. Which indicates that the chances of anything resembling remote control is probably too difficult to achieve to make it attractive. The data stealing options however are more imminent and could well be used in specific attacks.
Proof is in the pudding
If you are interested, you can find a demo and a link to a testing tool on the dedicated website. You can also find some FAQs and a pre-recorded presentation made for USENIX Security about these vulnerabilities.
Stay safe, everyone!