Peplink has identified vulnerabilities in some of its products related to the manipulation of transmit queues in the 802.11 standards, regarding the Framing Frames research paper. Specifically:
Section 3 - Leaking Frames from the Wi-Fi Queue: Some Peplink models that have Wi-Fi AP function may be vulnerable to leaking frames from the Wi-Fi queue, while others may not. Stay tuned to this post as we will provide a list of affected models.
Section 4 - Abusing the Queue for Network Disruptions: Peplink models are vulnerable to abusing the queue for network disruptions.
Session 5 - Overriding the Victim’s Security Context: For the attack to be successful, the attacker must possess valid network credentials, impeccable timing, and even if the attacker receives frames, they are of minimal value in modern secured networks.
Impact and Severity
The attacker takes advantage of the fact that they can intercept certain data packets intended for the victim, steal their contents and obtain sensitive information by using the same MAC address as the victim. This can be done by disconnecting the victim from the WLAN through a deauthentication attack or logging in at another AP in the network using the victim’s MAC address. In a securely configured network, this attack is considered opportunistic and the information that the attacker can obtain is of minimal value.
Mitigations
To better prevent this attack, we recommend separating trusted and untrusted WLAN clients by using different SSIDs and VLAN networks; enabling the “Management Frame Protection”; and using higher-layer encryption, such as TLS and HTTPS, which can prevent sensitive information from being exposed to attackers.
Question: the paper notes that secure DNS requests can be blocked, using these design flaws, in the hope of having the victim fall back to old insecure DNS. If a router running firmware 8.something is configured to use secure DNS (Network tab → DNS over HTTPS on a B20x ) will it fall back to old/insecure DNS if the secure DNS server can not be reached?
If our devices are configured to use DNS over HTTPS, they will strictly follow the setting. They will not use the insecure DNS even the secure DNS cannot be reached.
Session 5 - Overriding the Victim’s Security Context: For the attack to be successful, the attacker must possess valid network credentials, impeccable timing, and even if the attacker receives frames, they are of minimal value in modern secured networks.
Legacy SurfSoho rev 8.3 - using ISP wi-fi as Wan to pepwave. Last night every 30 minutes router was asking time to internet. Never seen that before. The equipment has the inbuit wifi features disabled but 2 machines conects through cable to pepwave. The conection is secure altought the ISP router wifi lan might be not so secure? Actually the pepwave was borought to protect a victim from a suposed Magalenha action.
I found some CAM loading in the network where the pepwave was before, where the Os should show FIB tables not present. So warning about really strange time callings about time servers last night!
I asked the following question on a different post, but I thought I’d ask here as well as I didn’t see a response, and I am not too sure how updates are being rolled out to legacy devices in the future…
Are products that are now considered to be in “Legacy” status still set to receive security updates under firmware 8.3.X releases? More specifically, will there be an update to legacy devices that addresses the vulnerability outlined in this post? Additionally, beyond that, will legacy devices continue to receive maintenance/security updates despite their legacy label?
This doesn’t come across super clear to me, and I am only looking to clarify. With the official 8.4 release seemingly around the corner, and no chatter - at least from what I’ve seen - about a 8.3.X release, I thought I’d ask again.
