Mist Security Advisory – FragAttacks and FAQ

On May 11, 2021, the Industry Consortium for Advancement of Security on the Internet (ICASI) announced the coordinated disclosure of a series of vulnerabilities related to the functionality of Wi-Fi devices. The complete list of vulnerabilities is listed below. Exploitation of these vulnerabilities may result in data exfiltration.

Of these issues listed below, only CVE-2020-24588 affects Juniper Networks Mist Access Points (APs). Successful exploitation of CVE-2020-24588 may allow an attacker to inject arbitrary network packets which could be used to spoof servers and conduct man-in-the-middle (MITM) attacks, in protected Wi-Fi networks, including WEP, WPA, WPA2, and WPA3.

What is this vulnerability?

The DeAgg vulnerability, also known as CVE-2020-24588, is a vulnerability discovered in the 802.11 protocol, specifically in the implementation of aggregated frames.  The vulnerability could allow an attacker to flip the “is aggregated” flag in the 802.11 header, which would cause the frame payload to be parsed differently and potentially allow for packet injection.

Impact of this vulnerability?

The risk of a successful attack is low, as the vulnerability requires an attacker to take a man-in-the-middle position, and also a webserver under the control of the attacker.  The client would need to connect to the man-in-the-middle AP, and in some way visit the attacker’s webserver. Subsequently a specially crafted packet with injected data is sent to carry out additional attacks.

What action is needed to address this vulnerability?

All Mist APs are vulnerable to the DeAgg vulnerability (except BT11), and it is recommended to upgrade to a fixed firmware version as soon as possible.  Mist has firmware versions with remediation for this vulnerability available for all Access Points as noted in the following table. :

Platform Recommended Fixed Version Other Available Fixed Versions
AP12 0.8.21602 0.8.21602, 0.9.22801
AP21 0.5.17562  0.5.17562 
AP32 0.8.21602 0.8.21602, 0.9.22801
AP33 0.8.21602 0.8.21602, 0.9.22801
AP41 0.8.21602 0.5.17562, 0.7.20564, 0.8.21602, 0.9.22801
AP43 0.8.21602 0.6.19227, 0.7.20564, 0.8.21602, 0.9.22801
AP61 0.8.21602 0.5.17562, 0.7.20564, 0.8.21602, 0.9.22801
AP63 0.8.21602 0.6.19227, 0.7.20564, 0.8.21602, 0.9.22801

Note: Mist Edge is not affected by the disclosed vulnerabilities

Where can I find additional information regarding the fixed firmware versions?

Release notes for the fixed versions can be found can be found at the following link: https://www.mist.com/documentation/firmware

Is Mist impacted by the other vulnerabilities disclosed? 

  • Mist is not vulnerable to the DeFrag vulnerability – CVE-2020-24586 and CVE-2020-24587- however additional protection has been added in the fixed releases.  
  • The following vulnerabilities are not applicable to any Mist platform nor is Mist vulnerable to CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26142, CVE-2020-26143, CVE-2020-26144, CVE-2020-26145, CVE-2020-26146, or CVE-2020-26147.

Full list of disclosed vulnerabilities

CVE Summary
CVE-2020-24586 Not clearing fragments from memory when (re)connecting to a network
CVE-2020-24587 Reassembling fragments encrypted under different keys
CVE-2020-24588 Accepting non-SPP A-MSDU frames
CVE-2020-26139 Forwarding EAPOL frames even though the sender is not yet authenticated
CVE-2020-26140 Accepting plaintext data frames in a protected network
CVE-2020-26141 Not verifying the TKIP MIC of fragmented frames
CVE-2020-26142 Processing fragmented frames as full frames
CVE-2020-26143 Accepting fragmented plaintext data frames in a protected network
CVE-2020-26144 Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network)
CVE-2020-26145 Accepting plaintext broadcast fragments as full frames (in an encrypted network)
CVE-2020-26146 Reassembling encrypted fragments with non-consecutive packet numbers
CVE-2020-26147 Reassembling mixed encrypted/plaintext fragments

Who to contact for additional information?

Please contact Mist Support at support@mist.com with any questions or concerns.

 

Additional Q&A

Q. Will enabling WPA3 protect me from this attack?

A. CVE-2020-24588 is specific to the 802.11 header itself which is not encrypted by MFA. Enabling WPA3 will not protect you from this specific vulnerability, however it may help reduce the risk of MiTM thanks to Protected Management Frames (PMF).

Q. Do I also need to update my client devices?

A. Most likely yes. All major client vendors (Apple, Google, Samsung, Microsoft etc.) have been notified of the disclosed vulnerabilities and if impacted should communicate the appropriate information and necessary actions to their customers.

Q. Is Mist Edge impacted by these vulnerabilities?

A. No. As Mist Edge is not a Wireless LAN Controller and does not process or forward any 802.11 frames, it is not impacted by any of the disclosed vulnerabilities.

Q. Is there a software workaround for this issue?

A. No, there is no software workaround for this issue.

Q. How urgently should I upgrade the firmware on my Access Points?

A. Mist’s opinion is the risk of successful attack is low, since it requires a skilled attacker. Over time tools may exist which bring the attack into reach of more attackers.  Mist considers upgrading to a fixed version important, but not urgent.

Q. How many other vendors have been affected?

A. Most infrastructure and client vendors appear to have been impacted by at least one or more of these disclosed vulnerabilities.