ISN 2021-02: IGEL OS and W10 Wi-Fi Vulnerabilities (Fragattacks)
First published 21 May 2021
Updated 30 September 2021 (Resolution in IGEL OS 11.06.100)
CVSS 3.1 Score: 5.0 (Medium)
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Several Wi-Fi vulnerabilities, known collectively as Fragattacks, affect the following IGEL products:
- IGEL OS 11
- IGEL OS 10
- IGEL W10 IoT
Details
The researcher Mathy Vanhoef has found several security vulnerabilities both in the IEEE 802.11 standards underpinning Wi-Fi and their implementations in Linux and Windows. He has demonstrated that weaknesses in the fragmentation and frame aggregation mechanisms can be abused to exfiltrate confidential data from or inject frames into a protected Wi-Fi connection between a client and the access point.
In IGEL software, these threats are mitigated as it uses TLS for endpoint management via UMS and ICG. Also, IGEL OS updates are cryptographically signed and validated. This is reflected in IGEL’s CVSS 3.1 scoring of these issues.
Several CVE identifiers have been assigned to this group of vulnerabilities:
Design flaws:
- CVE-2020-24588: Aggregation attack (accepting non-SPP A-MSDU frames)
- CVE-2020-24587: Mixed key attack (reassembling fragments encrypted under different keys)
- CVE-2020-24586: Fragment cache attack (not clearing fragments from memory when (re)connecting to a network)
Implementation vulnerabilities that allow the trivial injection of plaintext frames in a protected Wi-Fi network are assigned the following CVEs:
- CVE-2020-26140: Accepting plaintext data frames in a protected network
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network
Other implementation flaws are assigned the following CVEs:
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
Update Instructions
- IGEL OS 11: Update to IGEL OS 11.06.100 or newer. This fixes all design flaws and Linux implementation flaws listed above.
- IGEL OS 10: Upgrade to IGEL OS 11.06.100 or newer.
Mitigations
- If possible, replace Wi-Fi connections with wired Ethernet.
The reporter of these vulnerabilities recommends the following mitigations until fixes are available:
- Use HTTPS/TLS exclusively for websites in order to add another layer of protection for confidential information such as usernames and passwords.
Keep your Wi-Fi access points updated with the latest firmware version. - Reduce the impact of attacks by manually configuring your DNS server so that it cannot be poisoned.
- Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices.
References
- https://www.fragattacks.com
- Mathy Vanhoef, “Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation”: https://papers.mathyvanhoef.com/usenix2021.pdf