EnGenius Wireless Products FragAttacks Security Advisory

Advisory ID: engenius-sa-20210604
First Published: 04-June-2021
Last Updated: 06-August-2021
Advisory Version: 1.1

CVE-ID:

Summary

A dozen vulnerabilities collectively known as FragAttacks (fragmentation and aggregation attacks) that could affect devices with Wi-Fi capabilities were publicly disclosed on 11 May 2021. Refer to Wi-Fi Alliance announcement at Wi-Fi Alliance® security update – May 11, 2021| Wi-Fi Alliance

Impact

These 12 vulnerabilities were discovered and disclosed by researcher Dr Mathy Vanhoef. Three vulnerabilities are 802.11 standard design flaws, and the other 9 are implementation vulnerabilities.

Successful exploitation of these vulnerabilities could enable the exfiltration of sensitive data from targeted device. The following table describes the high-level impact of each CVE IDs. For additional details, please refer to the following link: https://www.fragattacks.com/

ITEMCVE-IDIMPACT
1CVE-2020-24586Accepting plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
2CVE-2020-24587Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
3CVE-2020-24588Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.
4CVE-2020-26139Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
5CVE-2020-26140Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network): Vulnerable Wi-Fi implementations accept plaintext A-MSDU frames as long as thefirst 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header forEAPOL. An adversary can abuse this to inject arbitrary networkpackets independent of the network configuration.
6CVE-2020-26141Accepting plaintext broadcast fragments as full frames (in an encrypted network): Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
7CVE-2020-26142Reassembling encrypted fragments with non-consecutive packet numbers: Vulnerable WPA, WPA2, or WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. Thisvulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.
8CVE-2020-26143Reassembling mixed encrypted/plaintext fragments: Vulnerable WEP, WPA, WPA2, or WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
9CVE-2020-26144Accepting plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
10CVE-2020-26145Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
11CVE-2020-26146Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.
12CVE-2020-26147Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.

Resolution

Recommended action to completely fix the vulnerabilities is to patch both ends of your wireless network, i.e. both the AP and Client.

EnGenius is investigating its Indoor / Outdoor Wireless product line to determine the affected AP products and formulate resolution patches accordingly. Refer to the table below for resolution release details. As the investigation progresses, EnGenius will continuously update this advisory as more information becomes available.

ECW SERIESRELEASE VERSIONTARGET RELEASE DATE
ECW1151.3.2812-Jul-2021
ECW1201.3.2812-Jul-2021
ECW1601.3.2812-Jul-2021
ECW220v21.5.2806-Sep-2021
ECW230 / ECW230v2 / ECW230v31.5.2806-Sep-2021
ECW2601.5.2806-Sep-2021
EWS SERIESRELEASE VERSIONTARGET RELEASE DATE
EWS330AP3.7.2026-Jul-2021
EWS355AP3.7.2026-Jul-2021
EWS357AP / EWS357APv23.9.123-Aug-2021
EWS357APv33.9.123-Aug-2021
EWS360AP3.6.2026-Jul-2021
EWS377AP / EWS377APv23.9.123-Aug-2021
EWS377APv33.9.123-Aug-2021
EWS385AP3.x.20Evaluating
EWS660AP3.6.2026-Jul-2021
EWS850AP3.9.123-Aug-2021
EWS860AP3.6.2026-Jul-2021
EAP SERIESRELEASE VERSIONTARGET RELEASE DATE
EAP12503.7.2026-Jul-2021
EAP1300 / EAP1300EXT / EnHero53.7.2026-Jul-2021
EAP22003.x.20Evaluating
ENS/ENH SERIESRELEASE VERSIONTARGET RELEASE DATE
ENS610EXT3.7.2026-Jul-2021
ENS620EXT3.7.2026-Jul-2021
ENH1350EXT3.7.2026-Jul-2021
ENH1750EXT3.7.2026-Jul-2021
ENH500v33.7.2026-Jul-2021
ENS500-ACv2 / ECS500EXT-ACv23.7.2026-Jul-2021
EnStation5-ACv2 / EnStationACv23.7.2026-Jul-2021

Revision History

ADVISORY VERSIONDESCRIPTIONDATE
1.0First Release04-Jun-2021
1.1Series, release version, and release date updates06-Aug-2021