CVE-2020-24588:Wi-Fi Protected Access (WPA, WPA2, WPA3) and WEP vulnerability allowing arbitrary packet injection due to unauthenticated A-MSDU flag in QoS header field.

splash
Back

Description Preview

The 802.11 standard that forms the foundation of Wi-Fi security protocols (WPA, WPA2, WPA3, and WEP) contains a critical vulnerability related to the authentication of the A-MSDU flag in the plaintext QoS header field. This flag is not properly authenticated according to the standard, creating a security weakness. When exploiting this vulnerability against devices that support receiving non-SSP A-MSDU frames (a mandatory feature in 802.11n), attackers can inject arbitrary network packets into protected wireless networks. This vulnerability is part of the broader "FragAttacks" (fragmentation and aggregation attacks) collection of Wi-Fi security flaws discovered in 2021.

Overview

CVE-2020-24588 is a design flaw in the IEEE 802.11 standard that affects virtually all Wi-Fi devices. The vulnerability stems from the lack of authentication for the A-MSDU flag in the QoS header field. This oversight allows attackers within radio range to inject arbitrary packets into protected Wi-Fi networks by manipulating this flag. Since support for non-SSP A-MSDU frames is mandatory for 802.11n compliance, most modern Wi-Fi devices are vulnerable.

The attack works because when the A-MSDU flag is set, receivers will process the frame's data as if it contains multiple packets aggregated together. By manipulating this flag, an attacker can make a receiver interpret regular data as network packets, effectively bypassing the encryption protection. This vulnerability is particularly concerning because it affects the Wi-Fi standard itself rather than specific implementations, making it widespread across vendors and devices.

Remediation

  1. Update all Wi-Fi device firmware and drivers to the latest versions that include patches for FragAttacks vulnerabilities.
  2. Apply vendor-specific patches as they become available for routers, access points, client devices, and IoT devices.
  3. For network administrators:
    • Implement additional network segmentation to limit potential damage from injected packets.
    • Use VPNs for sensitive communications to add an extra layer of encryption.
    • Enable HTTPS on all websites and services to protect against potential packet injection.
    • Consider implementing intrusion detection systems that can identify unusual traffic patterns.
  4. For device manufacturers:
    • Implement proper authentication of the A-MSDU flag in Wi-Fi implementations.
    • Follow security best practices for frame aggregation and fragmentation handling.

References

  1. FragAttacks official website: https://www.fragattacks.com
  2. FragAttacks technical summary: https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md
  3. Cisco Security Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu
  4. Intel Security Advisory: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html
  5. Arista Security Advisory: https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63
  6. Siemens Security Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf
  7. Debian Security Updates:
    • https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html
    • https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html
    • https://lists.debian.org/debian-lts-announce/2023/04/msg00002.html
  8. OSS-Security Mailing List: http://www.openwall.com/lists/oss-security/2021/05/11/12

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Health Care & Social Assistance
    Health Care & Social Assistance
  3. Public Administration
    Public Administration
  4. Educational Services
    Educational Services
  5. Finance and Insurance
    Finance and Insurance
  6. Transportation & Warehousing
    Transportation & Warehousing
  7. Retail Trade
    Retail Trade
  8. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  9. Information
    Information
  10. Utilities
    Utilities
  11. Other Services (except Public Administration)
    Other Services (except Public Administration)
  12. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  13. Management of Companies & Enterprises
    Management of Companies & Enterprises
  14. Accommodation & Food Services
    Accommodation & Food Services
  15. Construction
    Construction
  16. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  17. Mining
    Mining
  18. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  19. Wholesale Trade
    Wholesale Trade
  20. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background