Peplink Security Advisory: FragAttack

WeiMing · July 2, 2021, 5:09am

Background

There are new vulnerabilities, FragAttacks was announced recently, and our forum user (@Michael234) reported that in this post too.

The FragAttacks is a collection of security vulnerabilities. Three of them are design flaws with Wi-Fi itself and affect most devices that use Wi-Fi, while others, according to the researchers, found the programming mistakes in many Wi-Fi products.

With these vulnerabilities, an attacker could use FragAttacks to perform two types of attacks:

If in the right situation, an attacker can utilize FragAttacks to steal data from a Wi-Fi network that should be encrypted and protected against such an attack. If the user is sending unencrypted data over an encrypted Wi-Fi connection, a FragAttack could be used to bypass the Wi-Fi encryption. However, those websites or applications that are securely encrypted (eg. HTTPS), will be protected from this kind of attack.
The other possible attack is, FragAttacks could be used to launch attacks against vulnerable devices on a Wi-Fi network, such as smart home and IoT devices, especially those brands that do not provide long-term support for their devices—do not regularly receive updates. Once compromised, the attacker can remotely take over the control of these smart/IoT devices.

List of vulnerabilities included in FragAttack:

CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
CVE-2020-26140: Accepting plaintext data frames in a protected network.
CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
CVE-2020-26142: Processing fragmented frames as full frames.
CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.

More details can be found in the original article.

Products Affected

X Series with Wi-Fi
Balance Series with Wi-Fi
MAX Series with Wi-Fi
UBR Series
SOHO Series
AP Series

Resolution

We are preparing the fixes to be included in the target firmware release listed below.

Series	Variant	Firmware Revision
X Series	with Wi-Fi	8.1.3
Balance Series	with Wi-Fi	8.1.3
MAX Series	with Wi-Fi	8.1.3
UBR Series		8.1.3
SOHO Series		8.1.3
AP Series	802.11a/b/g/n/ac	3.6.3
	802.11ac Wave 2/ax	3.9.1

Workaround

As a temporary measure prior to the firmware availability, there are some workarounds to safeguard your network from the FragAttacks. Here are some tips:

Ensure your devices and OS are getting security updates. You should opt for an upgrade if you have machines with the older version of OS that isn’t getting updates.
Second, install those security updates. New/current devices normally will automatically install updates for you.
Use secure encryption. Try to use HTTPS whenever possible, or a well-known application that is securely encrypted. Anyway, most websites you visit nowadays likely automatically use HTTPS if it’s available.

Further Updates

This advisory may be updated if any additional information regarding the above vulnerabilities becomes available.

[23 July 2021]
– Firmware 8.1.3 is now GA
– AP One Firmware 3.6.3 GA

[18 February 2022]
– AP One Firmware 3.9.1 Beta 1

Michael234 · July 2, 2021, 7:14am

The affected products includes the SOHO Series but there is no mention of it/them in the Resolution section. What does the future hold for the SOHO series?

Mark9 · July 2, 2021, 2:42pm

The 8.1.3b1 release notes state that “[Beta 1] [Wi-Fi] Fixed: Wi-Fi FragAttack Vulnerability” applies to the Surf Soho. Hopefully the Surf Soho omission above is just a typo.

WeiMing · July 2, 2021, 8:17pm

@Michael234, thanks for highlighting, I have updated the list which missed out the SOHO Series.

@Mark9, you are right! It is a typo…

mldowling · July 23, 2021, 7:01pm

Hello @WeiMing,
Will new firmware also be released for the:

Pepwave Device Connector models
Pepwave AirProbe models

Our understanding is these use the same chipset & hardware as their APO counterparts.

Note that we currently are deploying with special versions of the firmware:

Pepwave Device Connector (1.2.0s002 build 4891)
Pepwave AirProbe (3.7.2s004 build 1037)

This is important for us on multiple fronts, including security & certification.
Happy to Help,
Marcus

ckirch · August 19, 2021, 10:55am

Still no 3.9.1 for AP visible?

WeiMing · August 20, 2021, 2:25am

@ckirch, the team is working hard on it. We will keep you posted with the availability news.

ckirch · September 28, 2021, 6:29pm

Dear @WeiMing, any news about 3.9.1 GA Firmware incl. fix for latest AP wave2 hardware?

PepeLeDrew · November 10, 2021, 4:08am

@WeiMing: Any estimated timeline for 3.9.2 for AP One AC Mini HW2 devices?

WeiMing · November 10, 2021, 7:03am

It would be firmware 3.9.1, to include the fixes for AP One models with 802.11ac Wave 2 & 802.11ax. The teams are working on it, we will share more when the latest updates are available. Stay tuned.

ckirch · December 1, 2021, 10:28pm

Any news on this for AP One AX firmware 3.9.1?

WeiMing · February 18, 2022, 10:21am

AP One firmware 3.9.1 Beta 1 has just been released, you may want to take a look at it here.