Menu
What's new
By:
Filters Better Search

News FragAttacks - implications in reality?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

sfx2000 said:
Apple is usually pretty good about disclosing security fixes in their updates...

The advantage Apple has is that they're vertically integrated on both HW and SW, so they can roll these out quickly...
Click to expand...
What I meant was when they need to not disclose like with spector etc they kept quite untill it was in the public domain, I should have worded that better.
 
List of patched devices so far from Netgear


Model
Fixed in Firmware Version
Fix Status

R6700AX
1.0.3.92
Production release available

RAX10
1.0.3.92
Production release available

RAX120
1.2.1.22
Production release available

RAX120v2
1.2.1.22
Production release available

RAX70
1.0.3.92
Production release available

RAX78
1.0.3.92
Production release available





Extenders

Model
Fixed in Firmware Version
Fix Status

EAX14
1.0.2.30
Production release available

EAX15
1.0.2.30
Production release available

EAX18
1.0.0.58
Production release available

EAX20
1.0.0.58
Production release available

EAX80
1.0.1.68
Production release available





Cable Modem Routers

Model
Fixed in Firmware Version
Fix Status

CAX30
1.4.10.4
Firmware released to Internet service providers
 
XIII said:
They indeed don’t mention it:

About the security content of iOS 14.5.1 and iPadOS 14.5.1 - Apple Support

This document describes the security content of iOS 14.5.1 and iPadOS 14.5.1.
support.apple.com support.apple.com

Do they usually update these notes after a (fixed) vulnerability has been made public?
Click to expand...
They did after the spector updates I believe as they had put some patches in a while before public release of the vulnerability, they could also have not fixed the issue and are awaiting 11.4 and 14.6 etc. Normally Apple are on the ball and companies have known and been given quite a while to fix this prior to disclosure.
 
Asus pushed a few patched versions this week, but there is no accurate list as to which model is currently patched, or which firmware version contains the patches.
 
Synology has pushed out SRM updates...

RT2600ac and MR2200ac - 1.2.5 - picks up fragattacks along with other items - these are QC-Atheros based...

www.synology.com

Release Notes for RT2600ac | Synology Inc.

Release Notes for RT2600ac | Synology Inc.
www.synology.com www.synology.com

RT1900ac - SRM 1.2.5 picks up the other items, fragattack fixes pending... RT1900ac is Broadcom...

www.synology.com

Synology_SA_21_20 | Synology Inc.

Synology Product Security Advisory
www.synology.com www.synology.com
 
RMerlin said:
Only if you are a target that is worth the effort AND you have someone within your block that has the advanced know-how to pull it off. Remember, this exploit requires a very high degree of technical knowledge (it's not something a teenager can "download over the web and run on his laptop to instant pwn you all").

In this particular case, the exploits are very complex to exploit AND they require proximity, AND some of them also require social engineering to lead the target to visit a malicious website. To me, that indicates that it's not something the average user should lose sleep over. If it gets used, it will be done against very specific targets, by people with very advanced skills.
Click to expand...

Hmmm...

the author has published the tools and scripts...

Given a fairly open wifi stack such as ath9k or even better, esp8266/esp32 - it's fairly scriptable and could be automated as a chain of attack.

While in the home - it's a medium level risk...

It's more on the travel side, hotels especially... go around any tech area related to Telecoms or other high tech - it's a nice way to peel up an edge to compromise data for exfil - that's what scares me on items like this.

For example - within a 10 mile radius of Santa Clara - nVidia, AMD, Intel, Apple, Facebook, Qualcomm, SuperMicro, and many other tech Tier 1, 2, 3 providers are there - and travellers tend to stay in certain hotels...

(interesting note for Santa Clara - there's a PRC oriented office building smack dab in the middle of that mess - it's owned by the Beijing City Government)

Same would go for Redmond, where there is Microsoft, Amazon, and ATT, along with Samsung, HTC and others...

Just down the road there is Boeing and their circle of vendors/suppliers/partners...

If one is in the tech industry, and travel - one is a target...

Interesting to note that WiFi 6 is especially vulnerable here due to design issues with 802.11.
 
Hi,
Love your firmware have been using it for years with various ASUS routers, and have donated to you a few times.

Are you planning to update Merlin to block the FragAttacks problems I have been reading about?

How serious do you think this problem will be to fix?

Just curious at this point, I realize it may take some time to develop a fix since it's a problem with the protocol itself.

Kirke
 
sfx2000 said:
Hmmm...

the author has published the tools and scripts...

............................
Click to expand...
I've downloaded the live USB with tools from the author's web site. Unfortunately failed to run them. A lot of errors reported by the tool. So seems to be that it is not so trivial to exploit this vulnerability. Really the attacker should have very high level technical knowledge. This is not a game for script kiddies ...

The immediate measure I had taken is to change the router's "protected management frames" option in wireless configuration page from "capable" to "required". For the rest I will wait until Merlin releases a patched FW.

All wireless clients accepted this change without issues. Some older mobile phones needed manual intervention to "forget" the network and re-connect again, while laptops (even very old) and newer mobile phones and tablets switched to new config automatically without manual intervention.
 
Last edited:
Kirke Holmes said:
Are you planning to update Merlin to block the FragAttacks problems I have been reading about?
Click to expand...
Still waiting to get patches from Asus. I know they have patched it on their end of things, however they will probably need to build complete new GPLs for me to merge in, as I can't directly apply the patches (since they are within closed source objects). No ETA on that.
 

Attachments

  • Hand Flipping Light Switch.jpg
    Hand Flipping Light Switch.jpg
    12.7 KB · Views: 102
netware5 said:
~

The immediate measure I had taken is to change the router's "protected management frames" option in wireless configuration page from "capable" to "required". For the rest I will wait until Merlin releases a patched FW.

All wireless clients accepted this change without issues. Some older mobile phones needed manual intervention to "forget" the network and re-connect again, while laptops (even very old) and newer mobile phones and tablets switched to new config automatically without manual intervention.
Click to expand...
I personally have the 5Ghz wifi "protected management frames" as "required" on my router with no problem. I'm guessing that my wifi capable devices using the 5Ghz band could work with "protected management frames" out of the box. 2.4Ghz devices, especially the older ones (have lots of those) failed to connect when "protected management frames" was capable or required, so have it disabled for those. There has been prior discussion about troubleshooting Protected Management Frames settings for many forum visitors.
 
I have wifi protected management frames on on my RAX120 and not one device has had issues connecting, the oldest being my Canon printer from 2011 (it still works well so it stays and its a 4800dpi photo printer) even that connected fine on 2.4Ghz. Maybe I'm just lucky. The rest of my network is fairly new 4 years old at the latest so no problems there using PMF
 
The latest ASUS firmware release for the AC86U does appear to contain a fix for this vulnerability. Based on what I've heard, the current version of Merlin's firmware (386.2_4) does NOT contain this fix yet.

ASUS RT-AC86U Firmware version 3.0.0.4.386.42643
1. Fixed CVE-2021-3450, CVE2021-3449 OpenSSL related vulnerability.
2. Fixed authentication bypass vulnerability. Special thank Chris Bellows, Darren Kemp – Atredis Partners contribution.
3. Fixed PPTP and OpenVPN server username/password GUI bug.
4. Fixed high CPU utilization issue.
5. Fixed the fragattacks vulnerability.

www.snbforums.com

Release - New AC86U firmware 3.0.0.4.386_42643

Asus had to mention the change somewhere @dave14305. Regular users have no way to find out what the problem is. If I didn’t come across this thread after looking for solutions to my issue, I would be stuck at current firmware for a long time I’m sure.
www.snbforums.com www.snbforums.com
 
Last edited:
RMerlin said:
Still waiting to get patches from Asus. I know they have patched it on their end of things, however they will probably need to build complete new GPLs for me to merge in, as I can't directly apply the patches (since they are within closed source objects). No ETA on that.
Click to expand...

With the Broadcom WL drivers, that has to come from Broadcom themselves before Asus can integrate... and then it's Legacy SDK's vs. current HND

Same would go with the Lantiq devices - and with the sale of Lantiq from Intel to MaxLinear, is a fix even pending?

At least with their QC-Atheros, QSDK patches have been issued upstream, so maybe fixes on the Asus devices based on QCA might get them earlier...
 
thiggins said:
I think the much more difficult part will be STA patches. Do you have any word on that?
Click to expand...

I suppose that Mediatek, Intel, and QC-Atheros have some benefit of being integrated into ChromeOS (Google requires the vendors to have decent linux support for Chromebooks).

With all of the M&A's happening - Quantenna to On Semiconductor, Marvell to NXP, some Broadcom to Cypress, Infineon to Lantiq to Intel to MaxLinear, who supports which chip/driver?

Another would be the weird things like XRadio (now AllWinner) XR819, which basically is a reverse engineered chip/driver from ST-Micro, which was Ericsson at some point in time...

most likely some of the drivers will never be fixed...

With IOT - Espressif (ESP32, ESP8266) is aware and working on patches, which is good news, as this is a very common chipset used in many IOT devices...

TI has issued patches for both the CC3xxx and WL18xx families of chips, which again, are very commonly used -- NXP (native, not Marvell) and MicroChip - still checking with friends in the business, questions asked, answers pending..

Goes without saying though that the IOT vendors apply and push the fixes out to their customers/endusers...

I have a feeling we're going to be dealing with this for a long time to come...
 
itpp20 said:
Has anyone noticed "protected management frames" does not seem to work for guest networks?
Click to expand...
It does for my guest network(s) on the 5GHz wifi band (I have it REQUIRED). I imagine that many 5GHz devices already supported [Protected Management Frames] in the specifications? All of my 5GHz wifi devices are recent purchases within the last 3-4 years.

It is DISABLED on my 2.4GHz wifi guest network(s). Too many of my devices using 2.4GHz are very old and do not have a good connection if they connect at all if the setting is CAPABLE or REQUIRED.
 
Wallace_n_Gromit said:
It is DISABLED on my 2.4GHz wifi guest network(s). Too many of my devices using 2.4GHz are very old and do not have a good connection if they connect at all if the setting is CAPABLE or REQUIRED.
Click to expand...
Ah that concludes it is working on guest networks, I may be seeing something else.
 
You must log in or register to reply here.

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 547 (members: 19, guests: 528)
Top