Mist Security Advisory – Bypassing Wi-Fi Encryption by Manipulating Transmit Queues

On March 27, 2023, the research paper titled “Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues” was published outlining a potential attack on Wi-Fi via a malicious insider. The vulnerability is also referred to as MacStealer and has been assigned CVE-2022-47522.  In a nutshell the attacker will utilize valid credentials, such as the attacker’s own pre-shared key or username/password/certificate for 802.1X to connect to the network while using the MAC address of a victim.  It is possible for the attacker to receive few transient packets destined for the victim.  The attack requires the attacker to have valid credentials to the network, impeccable timing, and the received frames are likely of little value in modern secured networks.

What is Vulnerable?

Wireless clients connecting to Mist Access Points could be targeted with this attack mechanism.

Mitigations

The attack vector for this vulnerability is small and can best be mitigated through layers of security.  Including, but not limited to:

  • Protected management frames (PMF) to reduce the likelihood of the impersonation.
  • Network access control through RADIUS or multi PSK that does not rely upon the MAC address as the unique identifier.
  • Higher layer transport security for applications whenever possible.

More Information

Juniper is not aware of any real-world exploitations of the vulnerability, however demonstration code has been made by the researchers via the following GitHub repository: https://github.com/vanhoefm/macstealer