The discovered WiFi vulnerability dubbed Fragattacks affects all modern security protocols of Wi-Fi. However, these flaws are hard to abuse but the biggest treats are the programming mistakes in WiFi products. This might come as a big surprise but Lansweeper has got you covered.
⚡ TL;DR | Go Straight to the FragAttack Vulnerability Report.
What is Frag Attack?
Fragmentation and aggregation attacks is a collection of vulnerabilities that affect Wi-Fi devices. By abusing these vulnerabilities, attackers can attack devices within a network or steal information. The exact attack can take many forms depending on the vulnerabilities used. Because some of these vulnerabilities lie at the base of Wi-Fi products, most Wi-Fi capable products are affecting in one way or another.
Luckily, these design flaws are hard to abuse because they require either user interaction or abnormal network settings, but that doesn't make it impossible, especially when the target is worth the effort.
Fragattack Rogue DNS injection
One of the proven methods is a DNS injection. By abusing CVE-2020-24588 attackers can change both the IPv6 and IPv4 DNS server used by a Wi-Fi device. This is used to redirect users to fake clones of real websites that look identical. The goal is to get users to enter their credentials in one of these websites so those credentials can be used in subsequent attacks.
The best method to prevent this is obviously to update in order to fix the vulnerability. A fix was included in the May patch Tuesday. To check if your devices have been updated, you can use our patch Tuesday report.
Lansweeper also scans your device's DNS settings, so a method to detect if one of your assets has been compromised is to see if any computers are using non-standard DNS settings. Luckily we also have a report for that so you can check the DNS settings of your assets.
Want to run this Audit Report?
Start your Free Lansweeper Trial to run the Audit Report.
Finding your fix For This WiFi Vulnerability
Since these vulnerabilities affect so many devices, including many that do not get updated often like access points, security systems and other network devices. Getting a fix isn't straightforward since it depends on the manufacturer of the hardware you have. To help with checking if your devices are affecting and if there is an update available, you can look at the ICASI statement which lists some advisories by affected product companies.
Additionally, you can take a look at the GitHub of the vulnerabilities reporter which has a more extensive list of the security advisories or bulletins linked to FragAttacks.
- CVE-2020-24588: Accepting non-SPP A-MSDU frames
- CVE-2020-24587: Reassembling fragments encrypted under different keys
- CVE-2020-24586: Not clearing fragments from memory when (re)connecting to a network
Implementation flaws allowing trivial packet injection
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network)
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network)
- CVE-2020-26140: Accepting plaintext data frames in a protected network
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network
Other Implementation Vulnerabilities
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments
- CVE-2020-26142: Processing fragmented frames as full frames
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames