| Título | ARUBA-PSA-2021-011 :: 802.11 Frame Aggregation and Fragmentation Vulnerabilities (Rev-1) |
|---|
| Descripción | Aruba Product Security Advisory
===============================
Advisory ID: ARUBA-PSA-2021-011
CVE: CVE-2020-24586, CVE-2020-24587, CVE-2020-24588, CVE-2020-26139 CVE-2020-26140, CVE-2020-26141, CVE-2020-26142, CVE-2020-26143, CVE-2020-26144, CVE-2020-26145, CVE-2020-26146, CVE-2020-26147 Publication Date: 2021-May-11
Status: Confirmed
Severity: Medium
Revision: 1
Title
=====
802.11 Frame Aggregation and Fragmentation Vulnerabilities
Overview
========
Twelve new vulnerabilities related to different components in the implementation of the 802.11 standard have been published.
Successful exploitation of each one of these vulnerabilities can result in sensitive data disclosure and possibly traffic manipulation.
Unaffected Products
===================
All Aruba products are not affected by the following vulnerabilities:
CVE-2020-24586
CVE-2020-24587
CVE-2020-26139
CVE-2020-26140
CVE-2020-26141
CVE-2020-26142
CVE-2020-26143
CVE-2020-26144
CVE-2020-26145
CVE-2020-26147
Affected Products
=================
The following products are affected by CVE-2020-24588 and CVE-2020-26146:
All Aruba Instant Access Points:
- Aruba Instant 6.4.x: prior to x.x.x.x-x.x.x.x
- Aruba Instant 6.5.x: prior to x.x.x.x prior to x.x.x.x if using IAP-1xx series
- Aruba Instant 8.3.x: prior to x.x.x.x prior to x.x.x.x if using RAP-155 series
- Aruba Instant 8.5.x: prior to x.x.x.x prior to x.x.x.x if using RAP-155 series
- Aruba Instant 8.6.x: prior to x.x.x.x
prior to x.x.x.x if using RAP-155 series
- Aruba Instant 8.7.x: prior to x.x.x.x
All ArubaOS Access Points when managed by hardware or virtual implementations of Aruba Mobility Controllers (standard or FIPS):
- ArubaOS 6.4.x: prior to x.x.x.x
- ArubaOS 6.5.x: prior to x.x.x.x
prior to x.x.x.x if using AP-1xx series
- ArubaOS 8.3.x: prior to x.x.x.x
prior to x.x.x.x if using AP-1xx series
- ArubaOS 8.5.x: prior to x.x.x.x
prior to x.x.x.x if using AP-1xx series
- ArubaOS 8.6.x: prior to x.x.x.x
prior to x.x.x.x if using AP-1xx series
- ArubaOS 8.7.x: prior to x.x.x.x
Aruba Instant On:
- prior to 2.3.0
Aruba views these vulnerabilities as Medium severity.
Other Aruba products not listed above, including Aruba Mobility Conductor (formerly Mobility Master) and SD-WAN Gateways are not affected by these vulnerabilities.
Details
=======
Vulnerabilities in the implementation of the IEEE 802.11 standard have been uncovered. These vulnerabilities allow an attacker to inject malicious frames in a legitimate Wi-Fi connection, regardless of the type of wireless encryption used.
Successful exploitation of these vulnerabilities result in exfiltration of sensitive data or, in conjunction with other known attacks, allows for traffic manipulation.
Note that these vulnerabilities might also affect wireless client devices. Non-Aruba devices may also have fixes for these vulnerabilities.
Please check with your non-Aruba device vendor for additional details.
See the accompanying FAQ document published by Aruba for more detailed
information:
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-011-FAQ.pdf
Accepting non-SPP A-MSDU frames (CVE-2020-24588)
---------------------------------------------------------------------
The 802.11 standard allows for encryption of the data payload, but the MAC header remains unencrypted. To cryptographically protect the header fields, it requires a WLAN device to compute additional authentication data (AAD) using some of these header fields.
The AAD is used for MIC computation as part of CCMP encryption.
The AAD does not include the A-MSDU Present bit from the QoS Control subfield of the 802.11 MAC header by default. The bit is included in AAD only if the capabilities advertised by the Access Point and the client devices include support and mandate for signal and payload protected (SPP) A-MSDU aggregation, as against the default payload protected (PP) A-MSDU aggregation.
By using a MitM (Machine-in-the-Middle) technique and altering the A-MSDU bit from the QoS Control subfield of the 802.11 MAC header, an attacker can have access to sensitive data and/ or inject data to the victim.
Internal Reference: ATLWL-219
Severity: Medium
CVSSv3 Overall Score: 6.1
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Reassembling encrypted fragments with non-consecutive packet numbers
(CVE-2020-26146)
---------------------------------------------------------------------
The 802.11 standard allows for fragmentation of data frames that are larger than a particular value (known as the fragmentation threshold) into more than one MPDU for transmission over the air. On the receiving device, these fragments are then reassembled into the original data frame and passed to the higher layers of the stack.
The MAC header includes a Sequence Number (SN) subfield for ordering of the MPDUs irrespective of whether they contain fragmented or unfragmented data. To facilitate fragmentation, the MAC header also includes a Fragment Number (FN) subfield in addition SN – fragments of one data frame have the same SN but different FN. Once encrypted, the MPDUs also have a Packet Number (PN) which is again a consecutively increasing number used for checking against replays.
Together, PN are expected to increase linearly with FN and SN.
The Aruba Access Point does not check whether all fragments of a frame have consecutive PN, that is, whether the fragments indeed belong to the same frame or not.
Consequently, the attacker using a MitM (Machine-in-the-Middle) technique can abuse this vulnerability by mixing fragments of different packets in order to extract user data.
Internal Reference: ATLWL-220
Severity: Medium
CVSSv3 Overall Score: 4.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Resolution
==========
Aruba Instant Access Points:
- Aruba Instant 6.4.x: x.x.x.x-x.x.x.x and above
- Aruba Instant 6.5.x: x.x.x.x and above
x.x.x.x and above if using AP-1xx series
- Aruba Instant 8.3.x: x.x.x.x and above
x.x.x.x and above if using RAP-155 series
- Aruba Instant 8.5.x: x.x.x.x and above
x.x.x.x and above if using RAP-155 series
- Aruba Instant 8.6.x: x.x.x.x and above
x.x.x.x and above if using RAP-155 series
- Aruba Instant 8.7.x: x.x.x.x and above
- Aruba Instant 8.8.x: x.x.x.x and above
Access Points when managed by hardware or virtual implementations of Aruba Mobility Controllers (standard or FIPS):
- ArubaOS 6.4.x: x.x.x.x and above
- ArubaOS 6.5.x: x.x.x.x and above
x.x.x.x and above if using AP-1xx series
- ArubaOS 8.3.x: x.x.x.x and above
x.x.x.x and above if using AP-1xx series
- ArubaOS 8.5.x: x.x.x.x and above
x.x.x.x and above if using AP-1xx series
- ArubaOS 8.6.x: x.x.x.x and above
x.x.x.x and above if using AP-1xx series
- ArubaOS 8.7.x: x.x.x.x and above
- ArubaOS 8.8.x: x.x.x.x and above
Aruba Instant On:
- 2.3.0 and above
Workarounds
===========
None.
Exploitation and Public Discussion
==================================
These vulnerabilities are being widely discussed in public.
A research paper is available describing the vulnerabilities and attack technique at the following URL:
https://papers.mathyvanhoef.com/usenix2021.pdf
Discovery
=========
These vulnerabilities were discovered by Dr. Mathy Vanhoef.
Aruba expresses its appreciation and gratitude to Dr. Vanhoef for responsibly disclosing these vulnerabilities to the vendor and open-source communities.
Aruba also wants to thank the Wi-Fi Alliance and the Industry Consortium for Advancement of Security on the Internet (ICASI) for coordinating the disclosure of these vulnerabilities.
ICASI's advisory has been posted at:
https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/
Revision History
================
Revision 1 / 2021-May-11 / Initial release
Aruba SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at:
http://www.arubanetworks.com/support-services/security-bulletins/
For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at:
http://www.arubanetworks.com/support-services/security-bulletins/
|
|---|
| Fuente | ⚠️ https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-011-FAQ.pdf |
|---|
| Usuario | csatechnical (UID 15632) |
|---|
| Sumisión | 2021-05-12 02:59 (hace 5 años) |
|---|
| Moderación | 2021-05-12 07:39 (5 hours later) |
|---|
| Estado | Duplicado |
|---|
| Entrada de VulDB | 163653 [Aruba AirWave hasta 1.3.1 escalada de privilegios] |
|---|
| Puntos | 0 |
|---|