News FragAttacks - implications in reality?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Killhippie

Senior Member
Apple is usually pretty good about disclosing security fixes in their updates...

The advantage Apple has is that they're vertically integrated on both HW and SW, so they can roll these out quickly...
What I meant was when they need to not disclose like with spector etc they kept quite untill it was in the public domain, I should have worded that better.
 

Killhippie

Senior Member
List of patched devices so far from Netgear


Model

Fixed in Firmware Version

Fix Status

R6700AX

1.0.3.92

Production release available

RAX10

1.0.3.92

Production release available

RAX120

1.2.1.22

Production release available

RAX120v2

1.2.1.22

Production release available

RAX70

1.0.3.92

Production release available

RAX78

1.0.3.92

Production release available





Extenders

Model

Fixed in Firmware Version

Fix Status

EAX14

1.0.2.30

Production release available

EAX15

1.0.2.30

Production release available

EAX18

1.0.0.58

Production release available

EAX20

1.0.0.58

Production release available

EAX80

1.0.1.68

Production release available





Cable Modem Routers

Model

Fixed in Firmware Version

Fix Status

CAX30

1.4.10.4

Firmware released to Internet service providers
 

Killhippie

Senior Member
They indeed don’t mention it:


Do they usually update these notes after a (fixed) vulnerability has been made public?
They did after the spector updates I believe as they had put some patches in a while before public release of the vulnerability, they could also have not fixed the issue and are awaiting 11.4 and 14.6 etc. Normally Apple are on the ball and companies have known and been given quite a while to fix this prior to disclosure.
 

RMerlin

Asuswrt-Merlin dev
Asus pushed a few patched versions this week, but there is no accurate list as to which model is currently patched, or which firmware version contains the patches.
 

sfx2000

Part of the Furniture
Synology has pushed out SRM updates...

RT2600ac and MR2200ac - 1.2.5 - picks up fragattacks along with other items - these are QC-Atheros based...


RT1900ac - SRM 1.2.5 picks up the other items, fragattack fixes pending... RT1900ac is Broadcom...

 

sfx2000

Part of the Furniture
Only if you are a target that is worth the effort AND you have someone within your block that has the advanced know-how to pull it off. Remember, this exploit requires a very high degree of technical knowledge (it's not something a teenager can "download over the web and run on his laptop to instant pwn you all").

In this particular case, the exploits are very complex to exploit AND they require proximity, AND some of them also require social engineering to lead the target to visit a malicious website. To me, that indicates that it's not something the average user should lose sleep over. If it gets used, it will be done against very specific targets, by people with very advanced skills.

Hmmm...

the author has published the tools and scripts...

Given a fairly open wifi stack such as ath9k or even better, esp8266/esp32 - it's fairly scriptable and could be automated as a chain of attack.

While in the home - it's a medium level risk...

It's more on the travel side, hotels especially... go around any tech area related to Telecoms or other high tech - it's a nice way to peel up an edge to compromise data for exfil - that's what scares me on items like this.

For example - within a 10 mile radius of Santa Clara - nVidia, AMD, Intel, Apple, Facebook, Qualcomm, SuperMicro, and many other tech Tier 1, 2, 3 providers are there - and travellers tend to stay in certain hotels...

(interesting note for Santa Clara - there's a PRC oriented office building smack dab in the middle of that mess - it's owned by the Beijing City Government)

Same would go for Redmond, where there is Microsoft, Amazon, and ATT, along with Samsung, HTC and others...

Just down the road there is Boeing and their circle of vendors/suppliers/partners...

If one is in the tech industry, and travel - one is a target...

Interesting to note that WiFi 6 is especially vulnerable here due to design issues with 802.11.
 

Kirke Holmes

Occasional Visitor
Hi,
Love your firmware have been using it for years with various ASUS routers, and have donated to you a few times.

Are you planning to update Merlin to block the FragAttacks problems I have been reading about?

How serious do you think this problem will be to fix?

Just curious at this point, I realize it may take some time to develop a fix since it's a problem with the protocol itself.

Kirke
 

netware5

Very Senior Member
Hmmm...

the author has published the tools and scripts...

............................
I've downloaded the live USB with tools from the author's web site. Unfortunately failed to run them. A lot of errors reported by the tool. So seems to be that it is not so trivial to exploit this vulnerability. Really the attacker should have very high level technical knowledge. This is not a game for script kiddies ...

The immediate measure I had taken is to change the router's "protected management frames" option in wireless configuration page from "capable" to "required". For the rest I will wait until Merlin releases a patched FW.

All wireless clients accepted this change without issues. Some older mobile phones needed manual intervention to "forget" the network and re-connect again, while laptops (even very old) and newer mobile phones and tablets switched to new config automatically without manual intervention.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Are you planning to update Merlin to block the FragAttacks problems I have been reading about?
Still waiting to get patches from Asus. I know they have patched it on their end of things, however they will probably need to build complete new GPLs for me to merge in, as I can't directly apply the patches (since they are within closed source objects). No ETA on that.
 

Wallace_n_Gromit

Senior Member

Attachments

  • Hand Flipping Light Switch.jpg
    Hand Flipping Light Switch.jpg
    12.7 KB · Views: 35

Wallace_n_Gromit

Senior Member
~

The immediate measure I had taken is to change the router's "protected management frames" option in wireless configuration page from "capable" to "required". For the rest I will wait until Merlin releases a patched FW.

All wireless clients accepted this change without issues. Some older mobile phones needed manual intervention to "forget" the network and re-connect again, while laptops (even very old) and newer mobile phones and tablets switched to new config automatically without manual intervention.
I personally have the 5Ghz wifi "protected management frames" as "required" on my router with no problem. I'm guessing that my wifi capable devices using the 5Ghz band could work with "protected management frames" out of the box. 2.4Ghz devices, especially the older ones (have lots of those) failed to connect when "protected management frames" was capable or required, so have it disabled for those. There has been prior discussion about troubleshooting Protected Management Frames settings for many forum visitors.
 

Killhippie

Senior Member
I have wifi protected management frames on on my RAX120 and not one device has had issues connecting, the oldest being my Canon printer from 2011 (it still works well so it stays and its a 4800dpi photo printer) even that connected fine on 2.4Ghz. Maybe I'm just lucky. The rest of my network is fairly new 4 years old at the latest so no problems there using PMF
 

juniorsweet

Occasional Visitor
The latest ASUS firmware release for the AC86U does appear to contain a fix for this vulnerability. Based on what I've heard, the current version of Merlin's firmware (386.2_4) does NOT contain this fix yet.

ASUS RT-AC86U Firmware version 3.0.0.4.386.42643
1. Fixed CVE-2021-3450, CVE2021-3449 OpenSSL related vulnerability.
2. Fixed authentication bypass vulnerability. Special thank Chris Bellows, Darren Kemp – Atredis Partners contribution.
3. Fixed PPTP and OpenVPN server username/password GUI bug.
4. Fixed high CPU utilization issue.
5. Fixed the fragattacks vulnerability.

 
Last edited:

sfx2000

Part of the Furniture
Still waiting to get patches from Asus. I know they have patched it on their end of things, however they will probably need to build complete new GPLs for me to merge in, as I can't directly apply the patches (since they are within closed source objects). No ETA on that.

With the Broadcom WL drivers, that has to come from Broadcom themselves before Asus can integrate... and then it's Legacy SDK's vs. current HND

Same would go with the Lantiq devices - and with the sale of Lantiq from Intel to MaxLinear, is a fix even pending?

At least with their QC-Atheros, QSDK patches have been issued upstream, so maybe fixes on the Asus devices based on QCA might get them earlier...
 

sfx2000

Part of the Furniture
I think the much more difficult part will be STA patches. Do you have any word on that?

I suppose that Mediatek, Intel, and QC-Atheros have some benefit of being integrated into ChromeOS (Google requires the vendors to have decent linux support for Chromebooks).

With all of the M&A's happening - Quantenna to On Semiconductor, Marvell to NXP, some Broadcom to Cypress, Infineon to Lantiq to Intel to MaxLinear, who supports which chip/driver?

Another would be the weird things like XRadio (now AllWinner) XR819, which basically is a reverse engineered chip/driver from ST-Micro, which was Ericsson at some point in time...

most likely some of the drivers will never be fixed...

With IOT - Espressif (ESP32, ESP8266) is aware and working on patches, which is good news, as this is a very common chipset used in many IOT devices...

TI has issued patches for both the CC3xxx and WL18xx families of chips, which again, are very commonly used -- NXP (native, not Marvell) and MicroChip - still checking with friends in the business, questions asked, answers pending..

Goes without saying though that the IOT vendors apply and push the fixes out to their customers/endusers...

I have a feeling we're going to be dealing with this for a long time to come...
 

itpp20

Regular Contributor
Has anyone noticed "protected management frames" does not seem to work for guest networks?
 

Wallace_n_Gromit

Senior Member
Has anyone noticed "protected management frames" does not seem to work for guest networks?
It does for my guest network(s) on the 5GHz wifi band (I have it REQUIRED). I imagine that many 5GHz devices already supported [Protected Management Frames] in the specifications? All of my 5GHz wifi devices are recent purchases within the last 3-4 years.

It is DISABLED on my 2.4GHz wifi guest network(s). Too many of my devices using 2.4GHz are very old and do not have a good connection if they connect at all if the setting is CAPABLE or REQUIRED.
 

itpp20

Regular Contributor
It is DISABLED on my 2.4GHz wifi guest network(s). Too many of my devices using 2.4GHz are very old and do not have a good connection if they connect at all if the setting is CAPABLE or REQUIRED.
Ah that concludes it is working on guest networks, I may be seeing something else.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top