EnGenius Wireless Products FragAttacks Security Advisory
Advisory ID: engenius-sa-20210604
First Published: 04-June-2021
Last Updated: 06-August-2021
Advisory Version: 1.1
CVE-ID:
Summary
A dozen vulnerabilities collectively known as FragAttacks (fragmentation and aggregation attacks) that could affect devices with Wi-Fi capabilities were publicly disclosed on 11 May 2021. Refer to Wi-Fi Alliance announcement at Wi-Fi Alliance® security update – May 11, 2021| Wi-Fi Alliance
Impact
These 12 vulnerabilities were discovered and disclosed by researcher Dr Mathy Vanhoef. Three vulnerabilities are 802.11 standard design flaws, and the other 9 are implementation vulnerabilities.
Successful exploitation of these vulnerabilities could enable the exfiltration of sensitive data from targeted device. The following table describes the high-level impact of each CVE IDs. For additional details, please refer to the following link: https://www.fragattacks.com/
| ITEM | CVE-ID | IMPACT |
|---|---|---|
| 1 | CVE-2020-24586 | Accepting plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. |
| 2 | CVE-2020-24587 | Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. |
| 3 | CVE-2020-24588 | Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. |
| 4 | CVE-2020-26139 | Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. |
| 5 | CVE-2020-26140 | Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network): Vulnerable Wi-Fi implementations accept plaintext A-MSDU frames as long as thefirst 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header forEAPOL. An adversary can abuse this to inject arbitrary networkpackets independent of the network configuration. |
| 6 | CVE-2020-26141 | Accepting plaintext broadcast fragments as full frames (in an encrypted network): Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration. |
| 7 | CVE-2020-26142 | Reassembling encrypted fragments with non-consecutive packet numbers: Vulnerable WPA, WPA2, or WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. Thisvulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design. |
| 8 | CVE-2020-26143 | Reassembling mixed encrypted/plaintext fragments: Vulnerable WEP, WPA, WPA2, or WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. |
| 9 | CVE-2020-26144 | Accepting plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. |
| 10 | CVE-2020-26145 | Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol. |
| 11 | CVE-2020-26146 | Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. |
| 12 | CVE-2020-26147 | Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. |
Resolution
Recommended action to completely fix the vulnerabilities is to patch both ends of your wireless network, i.e. both the AP and Client.
EnGenius is investigating its Indoor / Outdoor Wireless product line to determine the affected AP products and formulate resolution patches accordingly. Refer to the table below for resolution release details. As the investigation progresses, EnGenius will continuously update this advisory as more information becomes available.
| ECW SERIES | RELEASE VERSION | TARGET RELEASE DATE | |||
|---|---|---|---|---|---|
| ECW115 | 1.3.28 | 12-Jul-2021 | |||
| ECW120 | 1.3.28 | 12-Jul-2021 | |||
| ECW160 | 1.3.28 | 12-Jul-2021 | |||
| ECW220v2 | 1.5.28 | 06-Sep-2021 | |||
| ECW230 / ECW230v2 / ECW230v3 | 1.5.28 | 06-Sep-2021 | |||
| ECW260 | 1.5.28 | 06-Sep-2021 | |||
| EWS SERIES | RELEASE VERSION | TARGET RELEASE DATE | |||
|---|---|---|---|---|---|
| EWS330AP | 3.7.20 | 26-Jul-2021 | |||
| EWS355AP | 3.7.20 | 26-Jul-2021 | |||
| EWS357AP / EWS357APv2 | 3.9.1 | 23-Aug-2021 | |||
| EWS357APv3 | 3.9.1 | 23-Aug-2021 | |||
| EWS360AP | 3.6.20 | 26-Jul-2021 | |||
| EWS377AP / EWS377APv2 | 3.9.1 | 23-Aug-2021 | |||
| EWS377APv3 | 3.9.1 | 23-Aug-2021 | |||
| EWS385AP | 3.x.20 | Evaluating | |||
| EWS660AP | 3.6.20 | 26-Jul-2021 | |||
| EWS850AP | 3.9.1 | 23-Aug-2021 | |||
| EWS860AP | 3.6.20 | 26-Jul-2021 | |||
| EAP SERIES | RELEASE VERSION | TARGET RELEASE DATE | |||
|---|---|---|---|---|---|
| EAP1250 | 3.7.20 | 26-Jul-2021 | |||
| EAP1300 / EAP1300EXT / EnHero5 | 3.7.20 | 26-Jul-2021 | |||
| EAP2200 | 3.x.20 | Evaluating | |||
| ENS/ENH SERIES | RELEASE VERSION | TARGET RELEASE DATE |
|---|---|---|
| ENS610EXT | 3.7.20 | 26-Jul-2021 |
| ENS620EXT | 3.7.20 | 26-Jul-2021 |
| ENH1350EXT | 3.7.20 | 26-Jul-2021 |
| ENH1750EXT | 3.7.20 | 26-Jul-2021 |
| ENH500v3 | 3.7.20 | 26-Jul-2021 |
| ENS500-ACv2 / ECS500EXT-ACv2 | 3.7.20 | 26-Jul-2021 |
| EnStation5-ACv2 / EnStationACv2 | 3.7.20 | 26-Jul-2021 |
Revision History
| ADVISORY VERSION | DESCRIPTION | DATE |
|---|---|---|
| 1.0 | First Release | 04-Jun-2021 |
| 1.1 | Series, release version, and release date updates | 06-Aug-2021 |
