News FragAttacks - implications in reality?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

dffvb

Occasional Visitor
Hi there,

with my limited understanding, it looks like a spectre / meltdown like security issue has hit wifi in general


It is not very soothing that it can be onyl exploited within physical reach, since this in my opinion lies wihtin the nature of wifi.

However, of course I do not unterstand and was wondering, if anybody here can explain the real life implications? At how much risk is my wifi?

Maybe the @RMerlin can explain :) (since he seems to be the godfather her ebeing able to bring light into many foggy topics)
 

bbunge

Part of the Furniture
Another Chicken Little (the sky is falling!) Web site.

But, backups are good to have!
 

RMerlin

Asuswrt-Merlin dev
Wifi is not my area of expertise, sorry. Personally I don`t really worry about any wifi exploit, because it requires the attacker to be within wifi range of your router.
 

coxhaus

Part of the Furniture
I think local attackers is a lot better than being attacked from far with bots. Throw Bluetooth in there. Way safer. I use Bluetooth for controlling my lights in my home.
 

thiggins

Mr. Easy
Staff member
This is long, but a good analysis that helps put things in perspective.

I especially like this table:
screen-shot-2021-05-05-at-3.22.11-pm.png
 

sfx2000

Part of the Furniture
OpenWRT (on master) has already patched the issue for open source ath9k, ath10k, and ath11k drivers and the rest of the mac80211 stack as of May 12th.

Intel drivers for linux have been upstreamed, so linux users check your distro for updates.

For the closed source linux drivers, patches obviously will have to come from the vendors...

Here's the openwrt commit...

commit 025bd93f36c9923127674ce127e22933592cba6c
Author: Felix Fietkau <[email protected]>
Date: Wed May 12 14:28:37 2021 +0200

mac80211: backport upstream fixes for FragAttacks

From the patch series description:

Several security issues in the 802.11 implementations were found by
Mathy Vanhoef (New York University Abu Dhabi), who has published all
the details at

https://papers.mathyvanhoef.com/usenix2021.pdf

Specifically, the following CVEs were assigned:

* CVE-2020-24586 - Fragmentation cache not cleared on reconnection
* CVE-2020-24587 - Reassembling fragments encrypted under different
keys
* CVE-2020-24588 - Accepting non-SPP A-MSDU frames, which leads to
payload being parsed as an L2 frame under an
A-MSDU bit toggling attack
* CVE-2020-26139 - Forwarding EAPOL from unauthenticated sender
* CVE-2020-26140 - Accepting plaintext data frames in protected
networks
* CVE-2020-26141 - Not verifying TKIP MIC of fragmented frames
* CVE-2020-26142 - Processing fragmented frames as full frames
* CVE-2020-26143 - Accepting fragmented plaintext frames in
protected networks
* CVE-2020-26144 - Always accepting unencrypted A-MSDU frames that
start with RFC1042 header with EAPOL ethertype
* CVE-2020-26145 - Accepting plaintext broadcast fragments as full
frames
* CVE-2020-26146 - Reassembling encrypted fragments with non-consecutive
packet numbers
* CVE-2020-26147 - Reassembling mixed encrypted/plaintext fragments

In general, the scope of these attacks is that they may allow an
attacker to
* inject L2 frames that they can more or less control (depending on the
vulnerability and attack method) into an otherwise protected network;
* exfiltrate (some) network data under certain conditions, this is
specific to the fragmentation issues.

A subset of these issues is known to apply to the Linux IEEE 802.11
implementation (mac80211). Where it is affected, the attached patches
fix the issues, even if not all of them reference the exact CVE IDs.

In addition, driver and/or firmware updates may be necessary, as well
as potentially more fixes to mac80211, depending on how drivers are
using it.

Specifically, for Intel devices, firmware needs to be updated to the
most recently released versions (which was done without any reference
to the security issues) to address some of the vulnerabilities.

To have a single set of patches, I'm also including patches for the
ath10k and ath11k drivers here.

We currently don't have information about how other drivers are, if
at all, affected.

Signed-off-by: Felix Fietkau <[email protected]>
 

Killhippie

Senior Member
Wifi is not my area of expertise, sorry. Personally I don`t really worry about any wifi exploit, because it requires the attacker to be within wifi range of your router.
Obviously you are lucky not to live in a block of flats where you have routers upstairs downstairs and sideways, in that situation exploits should be a big concern, I have to say I was a bit surprised by your post tbh, I know it s not a major issue because because this one is hard to exploit, but it should be of concern as should all Wi-Fi exploits because some of us are not as lucky as others. For instance I live in a rural area with very few routers around but most don't have that luxury.
 

thiggins

Mr. Easy
Staff member
@sfx2000 Thanks for the information. I think the much more difficult part will be STA patches. Do you have any word on that?
 

sfx2000

Part of the Furniture
@sfx2000 Thanks for the information. I think the much more difficult part will be STA patches. Do you have any word on that?

Linux QCA clients, if the distro brings in the patches, should be ok, and the authors have modified Intel client station drivers/firmware available...

The linux mediatek drivers are under heavy development, so I assume changes will roll in fairly quickly.

Concern on the AP side is the vendor platforms (Qualcomm's QSDK, Broadcom HND, etc), esp on the older ones that may not be as actively maintained. Even there, it'll be up to the OEM's to integrate and release new firmware there.

Additional concern for the IoT space, where vendor SDK's will have to patch there, and get those out to the OEM's, and roll them into the fleet of devices - which will be a fairly hard problem to solve, IMHO...

Apple and Microsoft - Apple is currently in their beta cadence for iOS/MacOS, so I expect that'll will roll in fixes - Microsoft pushed out patches on March 9, 2021, but it's not clear if everything was patched up there.
 

Killhippie

Senior Member
Netgear rolled out a patch for the RAX120/v2 yesterday but the wording is a bit vague, it seems they have patched a few Qualcomm AX units so far but not the AX1000 which is partly DumaOS
 

Killhippie

Senior Member
@sfx2000 Apple put out patches for iOS/macOS/watch OS etc last week just after 14.5 bringing things up to 14.5.1 11.3.1 and 7.4.1 so is it its possible devices may have been patched then? it was a out of sequence patch for webkit CVE's a week after 14.5 which they have been working on for a very long time, but Apple do patch other vulnerabilities without saying and at that point all was quite on the western front so to speak really regarding these vulnerabilities so its possible they are patched already but I wouldn't like to say for sure. Ive not seen anything from Sony with the Mediatec chips yet, but they can patch APK's from Pie onwards I believe without a new OS update, I'm not sure if they can patch this that way though.
 

RMerlin

Asuswrt-Merlin dev
Obviously you are lucky not to live in a block of flats where you have routers upstairs downstairs and sideways, in that situation exploits should be a big concern,
Only if you are a target that is worth the effort AND you have someone within your block that has the advanced know-how to pull it off. Remember, this exploit requires a very high degree of technical knowledge (it's not something a teenager can "download over the web and run on his laptop to instant pwn you all").

In this particular case, the exploits are very complex to exploit AND they require proximity, AND some of them also require social engineering to lead the target to visit a malicious website. To me, that indicates that it's not something the average user should lose sleep over. If it gets used, it will be done against very specific targets, by people with very advanced skills.

In the world, it's all about evaluating risks. If we start panicking every time a new security issue comes to light, then you might as well completely unplug from the Internet. Look at the number of daily entries appearing in the CVE database. WPA2 and even WPA3 for instance have been known to be exploitable for years already, with no fix in sight as the issues are inherent to their design. I don't see every major corporation shutting down their wifi network because of that.

That does not mean that people shouldn`t patch their devices once fixes are published, but it also means that people shouldn't lose any sleep over it.

I highly recommend people at least browse through the article linked by @thiggins.
 

Killhippie

Senior Member
Only if you are a target that is worth the effort AND you have someone within your block that has the advanced know-how to pull it off. Remember, this exploit requires a very high degree of technical knowledge (it's not something a teenager can "download over the web and run on his laptop to instant pwn you all").

In this particular case, the exploits are very complex to exploit AND they require proximity, AND some of them also require social engineering to lead the target to visit a malicious website. To me, that indicates that it's not something the average user should lose sleep over. If it gets used, it will be done against very specific targets, by people with very advanced skills.

In the world, it's all about evaluating risks. If we start panicking every time a new security issue comes to light, then you might as well completely unplug from the Internet. Look at the number of daily entries appearing in the CVE database. WPA2 and even WPA3 for instance have been known to be exploitable for years already, with no fix in sight as the issues are inherent to their design. I don't see every major corporation shutting down their wifi network because of that.

That does not mean that people shouldn`t patch their devices once fixes are published, but it also means that people shouldn't lose any sleep over it.

I highly recommend people at least browse through the article linked by @thiggins.
I meant no disrespect, Merlin. I wss just surprised by way your post read. The thing is I know of people that like to sit and Deauther for fun, you can get the kit on well know sites for about £20 these days and maybe to some who have seen passwords on ISP routers (BT in the UK have some on plastic cards slid in the back) it wouldn't be a stretch to see some try it on especially when maybe the more vulnerable may be easy targets.

I agree about risk evaluation and most of us have nothing to fear at all, but with so many scams circulating these days I do worry that some who do online banking etc who have had kit put up by some local who has some basic networking knowledge may see this as a few hundred pound to a few thousand pounds if they were opportunistic. I mean if phone scammers do it for less, so it does make you wonder. Anyway lets hope most dont try and patches roll out to what can be fixed asap just in case :)
 

XIII

Very Senior Member
@sfx2000 Apple put out patches for iOS/macOS/watch OS etc last week just after 14.5 bringing things up to 14.5.1 11.3.1 and 7.4.1 so is it its possible devices may have been patched then? it was a out of sequence patch for webkit CVE's a week after 14.5 which they have been working on for a very long time, but Apple do patch other vulnerabilities without saying and at that point all was quite on the western front so to speak really regarding these vulnerabilities so its possible they are patched already but I wouldn't like to say for sure.

They indeed don’t mention it:


Do they usually update these notes after a (fixed) vulnerability has been made public?
 

sfx2000

Part of the Furniture
Netgear rolled out a patch for the RAX120/v2 yesterday but the wording is a bit vague, it seems they have patched a few Qualcomm AX units so far but not the AX1000 which is partly DumaOS

IIRC - the QCA based Netgear devices use QSDK, so they could pick up the fixes there...

(QSDK is based on an older version of OpenWRT, with all their own private sources included, and it's fairly up to date)

The DumaOS is downstream from OpenWRT, so they could backport fixes as needed I would think.
 

sfx2000

Part of the Furniture
Do they usually update these notes after a (fixed) vulnerability has been made public?

Apple is usually pretty good about disclosing security fixes in their updates...

The advantage Apple has is that they're vertically integrated on both HW and SW, so they can roll these out quickly...
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top