Aviso de seguridad FragAttacks de productos inalámbricos de EnGenius

ID de Notificación: engenius-sa-20210604
Primera Publicación: 04-June-2021
Última actualización: 06-August-2021
Versión: 1.1

CVE-ID:

Resumen

El 11 de mayo de 2021 se revelaron públicamente una docena de vulnerabilidades conocidas colectivamente como FragAttacks (ataques de fragmentación y agregación) que podrían afectar a los dispositivos con capacidades Wi-Fi. Consulte el anuncio de Wi-Fi Alliance en Actualización de seguridad de Wi-Fi Alliance® – 11 de mayo de 2021, 2021| Wi-Fi Alliance

Impacto

Estas 12 vulnerabilidades fueron descubiertas y reveladas por el investigador Dr. Mathy Vanhoef. Tres vulnerabilidades son fallas de diseño del estándar 802.11 y las otras 9 son vulnerabilidades de implementación.

La explotación exitosa de estas vulnerabilidades podría permitir la exfiltración de datos confidenciales del dispositivo objetivo. La siguiente tabla describe el impacto de alto nivel de cada ID de CVE. Para obtener detalles adicionales, consulte el siguiente enlace: https://www.fragattacks.com/

ITEMCVE-IDIMPACT
1CVE-2020-24586Accepting plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
2CVE-2020-24587Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
3CVE-2020-24588Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.
4CVE-2020-26139Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
5CVE-2020-26140Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network): Vulnerable Wi-Fi implementations accept plaintext A-MSDU frames as long as thefirst 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header forEAPOL. An adversary can abuse this to inject arbitrary networkpackets independent of the network configuration.
6CVE-2020-26141Accepting plaintext broadcast fragments as full frames (in an encrypted network): Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
7CVE-2020-26142Reassembling encrypted fragments with non-consecutive packet numbers: Vulnerable WPA, WPA2, or WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. Thisvulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.
8CVE-2020-26143Reassembling mixed encrypted/plaintext fragments: Vulnerable WEP, WPA, WPA2, or WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
9CVE-2020-26144Accepting plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
10CVE-2020-26145Not verifying the TKIP MIC of fragmented frames: Vulnerable Wi-Fi implementations do not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and possibly decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
11CVE-2020-26146Processing fragmented frames as full frames: Vulnerable WEP, WPA, WPA2, or WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.
12CVE-2020-26147Accepting fragmented plaintext data frames in a protected network: Vulnerable WEP, WPA, WPA2, or WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.

Solución

La acción recomendada para corregir completamente las vulnerabilidades es parchear ambos extremos de su red inalámbrica, es decir, tanto el AP como el Cliente.

EnGenius está investigando su línea de productos inalámbricos para interiores / exteriores para determinar los productos AP afectados y formular parches de resolución en consecuencia. Consulte la tabla siguiente para conocer los detalles de la versión de resolución. A medida que avanza la investigación, EnGenius actualizará continuamente este aviso a medida que haya más información disponible.

ECW SERIESRELEASE VERSIONTARGET RELEASE DATE
ECW1151.3.2812-Jul-2021
ECW1201.3.2812-Jul-2021
ECW1601.3.2812-Jul-2021
ECW220v21.5.2806-Sep-2021
ECW230 / ECW230v2 / ECW230v31.5.2806-Sep-2021
ECW2601.5.2806-Sep-2021
EWS SERIESRELEASE VERSIONTARGET RELEASE DATE
EWS330AP3.7.2026-Jul-2021
EWS355AP3.7.2026-Jul-2021
EWS357AP / EWS357APv23.9.123-Aug-2021
EWS357APv33.9.123-Aug-2021
EWS360AP3.6.2026-Jul-2021
EWS377AP / EWS377APv23.9.123-Aug-2021
EWS377APv33.9.123-Aug-2021
EWS385AP3.x.20Evaluating
EWS660AP3.6.2026-Jul-2021
EWS850AP3.9.123-Aug-2021
EWS860AP3.6.2026-Jul-2021
EAP SERIESRELEASE VERSIONTARGET RELEASE DATE
EAP12503.7.2026-Jul-2021
EAP1300 / EAP1300EXT / EnHero53.7.2026-Jul-2021
EAP22003.x.20Evaluating
ENS/ENH SERIESRELEASE VERSIONTARGET RELEASE DATE
ENS610EXT3.7.2026-Jul-2021
ENS620EXT3.7.2026-Jul-2021
ENH1350EXT3.7.2026-Jul-2021
ENH1750EXT3.7.2026-Jul-2021
ENH500v33.7.2026-Jul-2021
ENS500-ACv2 / ECS500EXT-ACv23.7.2026-Jul-2021
EnStation5-ACv2 / EnStationACv23.7.2026-Jul-2021

Historial de revisiones

ADVISORY VERSIONDESCRIPTIONDATE
1.0First Release04-Jun-2021
1.1Series, release version, and release date updates06-Aug-2021