Peplink Security Advisory: FragAttack

Background

There are new vulnerabilities, FragAttacks was announced recently, and our forum user (@Michael234) reported that in this post too.

The FragAttacks is a collection of security vulnerabilities. Three of them are design flaws with Wi-Fi itself and affect most devices that use Wi-Fi, while others, according to the researchers, found the programming mistakes in many Wi-Fi products.

With these vulnerabilities, an attacker could use FragAttacks to perform two types of attacks:

  1. If in the right situation, an attacker can utilize FragAttacks to steal data from a Wi-Fi network that should be encrypted and protected against such an attack. If the user is sending unencrypted data over an encrypted Wi-Fi connection, a FragAttack could be used to bypass the Wi-Fi encryption. However, those websites or applications that are securely encrypted (eg. HTTPS), will be protected from this kind of attack.

  2. The other possible attack is, FragAttacks could be used to launch attacks against vulnerable devices on a Wi-Fi network, such as smart home and IoT devices, especially those brands that do not provide long-term support for their devices—do not regularly receive updates. Once compromised, the attacker can remotely take over the control of these smart/IoT devices.

List of vulnerabilities included in FragAttack:

  • CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
  • CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
  • CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).
  • CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
  • CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
  • CVE-2020-26140: Accepting plaintext data frames in a protected network.
  • CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
  • CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
  • CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
  • CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
  • CVE-2020-26142: Processing fragmented frames as full frames.
  • CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.

More details can be found in the original article.

Products Affected

  1. X Series with Wi-Fi
  2. Balance Series with Wi-Fi
  3. MAX Series with Wi-Fi
  4. UBR Series
  5. SOHO Series
  6. AP Series

Resolution

We are preparing the fixes to be included in the target firmware release listed below.

Series Variant Firmware Revision
X Series with Wi-Fi 8.1.3
Balance Series with Wi-Fi 8.1.3
MAX Series with Wi-Fi 8.1.3
UBR Series 8.1.3
SOHO Series 8.1.3
AP Series 802.11a/b/g/n/ac 3.6.3
802.11ac Wave 2/ax 3.9.1

Workaround

As a temporary measure prior to the firmware availability, there are some workarounds to safeguard your network from the FragAttacks. Here are some tips:

  1. Ensure your devices and OS are getting security updates. You should opt for an upgrade if you have machines with the older version of OS that isn’t getting updates.

  2. Second, install those security updates. New/current devices normally will automatically install updates for you.

  3. Use secure encryption. Try to use HTTPS whenever possible, or a well-known application that is securely encrypted. Anyway, most websites you visit nowadays likely automatically use HTTPS if it’s available.

Further Updates

This advisory may be updated if any additional information regarding the above vulnerabilities becomes available.

[23 July 2021]
– Firmware 8.1.3 is now on RC2
– AP One Firmware 3.6.3 RC2

4 Likes

The affected products includes the SOHO Series but there is no mention of it/them in the Resolution section. What does the future hold for the SOHO series?

1 Like

The 8.1.3b1 release notes state that “[Beta 1] [Wi-Fi] Fixed: Wi-Fi FragAttack Vulnerability” applies to the Surf Soho. Hopefully the Surf Soho omission above is just a typo.

@Michael234, thanks for highlighting, I have updated the list which missed out the SOHO Series.

@Mark9, you are right! It is a typo… :sweat_smile:

2 Likes

Hello @WeiMing,
Will new firmware also be released for the:

  • Pepwave Device Connector models
  • Pepwave AirProbe models

Our understanding is these use the same chipset & hardware as their APO counterparts.

Note that we currently are deploying with special versions of the firmware:

  • Pepwave Device Connector (1.2.0s002 build 4891)
  • Pepwave AirProbe (3.7.2s004 build 1037)

This is important for us on multiple fronts, including security & certification.
Happy to Help,
Marcus :slight_smile: