FragAttacks Technical Bulletin

FragAttacks vulnerability FAQs

This technical bulletin is to inform our customers regarding a Wi-Fi vulnerability published on 11 May 2021 in coordination with the Wi-Fi Alliance, which is being called the “FragAttacks” vulnerability. The WFA announcement can be found here.

This is a collection of 12 Common Vulnerabilities and Exposures (CVEs) that comprise several attack methods as described in the paper by Mathy Vanhoef (New York University Abu Dhabi). Some attacks exploit both design flaws in the 802.11 (Wi-Fi) protocol (i.e.- in the design of the original protocol in the standard) and the implementation flaws (i.e.- in how vendors chose to implement the protocol), while the remaining attacks exploit only the implementation flaws.

Throughout our response documentation, the “FragAttacks” name is used to refer to the entire set of vulnerabilities.  Most of the attacks consist of a multi-step process:

1. The attacker attempts to inject manipulated 802.11 frames over the air to the intended target. This target can be either an AP or client device, depending on the vulnerability.
2. A Man-in-the-Middle (MITM) attack can then be used if the infrastructure doesn’t block or alert an MITM attack. The attacker can include intentional data in subframes/fragments which may allow the exfiltration of data from the network or get the device to use a malicious DNS server for further exploit.
3. Additionally, some vulnerabilities require a Social Engineering aspect, i.e. getting a user to click on a link or navigate to an attacker-controlled URL.
4. Some of the vulnerabilities are directed at just a single receiver (device) on the network and can be carried out no matter the network configuration.

The FragAttacks vulnerability requires the adversary to be in range of the victim’s WLAN and be in the Man-in-the-Middle position to be able to manipulate and inject frames, in addition to the occasions where a social engineering aspect is also involved.

Impact

All devices that use the Wi-Fi protocol (802.11) are susceptible to this FragAttacks vulnerability.

Hence, all Wi-Fi APs and clients across the industry are susceptible to some of the FragAttacks vulnerability, including RUCKUS Wi-Fi Indoor and Outdoor Access Points.  This vulnerability does not impact RUCKUS network controllers or RUCKUS ethernet switches.  

CommScope is actively engaged with all Wi-Fi chipset vendors to identify affected products and assess methods of remediation.

Patches to fix FragAttacks

The details of the RUCKUS software releases with fixes are available here.

Risk Mitigation

The recommended approach is to patch both the network and the client side to fix the FragAttacks vulnerability. In the meantime, network administrators can take the following steps on both the network side and on the client side to reduce the risk of being exploited by the FragAttacks vulnerability.

Risk Mitigation - Network

1. 1. Enable Wireless Intrusion Prevention Systems (WIPS) & Wireless Intrusion Detection Systems (WIDS)

      WIPS  and WIDS are designed to detect and prevent certain MITM attacks by scanning Wi-Fi radio channels and identifying rogue access points that are impersonating legitimate corporate Access Points.

      Please review these important technical considerations   before you choose to enable WIDS/WIPS in your network, including which RUCKUS APs support WIPS and WIDS.

   2. USE EAP-TLS wherever possible.

      This ensures that the client authenticates the network before joining, which increases the difficulty for an attacker to deceive the client about the identity of the network that it is joining.  Please review these important technical considerations   before configuring EAP-TLS in your network, verify that the clients using that network  support EAP-TLS.

   3. Use WPA3 enterprise in your network.

      Enabling WPA3-Enterprise automatically enables 802.11w protected management frames, which prevents rogue deauthorization/disassociation frames from impacting the AP-client connection. This lowers the chances of being subject to a successful MITM attack by increasing the difficulty to break the connection between the AP and the client. WPA3-Enterprise using EAP-TLS is the best possible solution today, if all devices will support it.

      802.11w is an optional setting with WPA2 but before enabling, ensure that all client devices support 802.11w so they will continue to operate.

      Please review these important technical considerations  before you choose to enable WPA3 or 802.11w in your network, including which RUCKUS APs support WPA3.

Risk Mitigation - Client

1. 1. Update personal computing devices (laptops, mobile phone, tablets etc.) and IOT devices (smart homes, smart security devices, cameras etc.) to the latest available software versions to ensure that the most-recent fixes for bugs and security vulnerabilities are installed.
   2. Update anti-virus and anti-malware software and associated definition files on personal computing devices (laptops, mobile phone, tablets etc.).
   3. Use HTTPS protocol to connect to web sites, which adds another layer of encryption to data transmitted.
      Be aware of Social Engineering methods that ask users to click on links or navigate to unknown websites.

Frequenty Asked Questions

Q1: Are these attacks easy to execute successfully?
A1: No. None of these attacks are easily carried out. Most require a combination of being able to inject 802.11 frames, successfully complete an MITM attack, and successfully socially engineer the victim into bypassing browser warnings about a link or to visit a site hosted by a malicious server.  For all of the above to succeed, the attacker would need to be sophisticated, onsite, and armed with specialized hardware and software, none of which is currently known to be publicly available. To date, there is no report of FragAttacks being carried out successfully anywhere except in a research environment.

Q2: Are all Wi-Fi vendors affected?
A2: Yes. The vulnerability exists in the 802.11 protocol, and thus affects all Wi-Fi devices.  One of the attacks targets all Wi-Fi client types, IoT devices, and access points: CVE-2020-24588 (Accepting non-SPP A-MSDU frames).  Another attack targets all IoT devices and access points and most Wi-Fi client types: CVE-2020-26146 (Reassembling encrypted fragments with non-consecutive packet numbers).  The remaining attacks target some Wi-Fi clients and IoT devices and may affect consumer grade access points (home routers) but not Enterprise grade access points.

Q3: What RUCKUS products are affected by the vulnerability?
A3: Since this vulnerability spans current and legacy Wi-Fi standards, all Wi-Fi devices including RUCKUS Wi-Fi Indoor and Outdoor Access Points are affected by this issue. This vulnerability does not impact RUCKUS network controllers or RUCKUS ethernet switches.  Please note that not all APs are affected by all vulnerabilities. 

Q4: Are Wi-Fi clients affected by this vulnerability?
A4: Yes. Wi-Fi clients such as laptops, phones, and tablets, as well as IoT devices using 802.11 can be affected by the FragAttacks vulnerability. To completely fix the vulnerability requires patching both ends of the network connection: the AP and the client. The mitigation strategies outlined above can greatly reduce the risk of being impacted by this vulnerability until both endpoints are patched.

Q5: What version of software contains the fix and when can I get it?
A5: Please refer to our support site for details on the patches.

Q6: What if I don’t have an active Support contract with RUCKUS – will I be able to upgrade my software?
A6: Yes. You will be able to obtain the patches that are available for your platform even if you don’t have a current support contract.

• For ZoneDirector products:
  Login to https://support.ruckuswireless.com/entitlement_file, type the serial number and download the temporary entitlement file, which will be valid for 7 days, from the date of downloading the file.
• For SmartZone and virtual SmartZone: Please reach out to support.

If you have difficulty installing your patch, please open a case with RUCKUS Customer Services & Support at https://support.ruckuswireless.com/cases/new

Q7: What if I am not on any of the versions listed in the support site?
A7: You will need to upgrade to one of the software versions listed above to fix the vulnerability. The list of software versions with fixes can be found here .

Q8: What is the plan for EOS/EOL access points impacted by this vulnerability?
A8: We will be releasing a fix for all the software versions mentioned here .

Q9: What is my risk if I do not upgrade?
A9: The risk is that an attacker can exfiltrate sensitive client data in unencrypted data or manipulate client devices to navigate to unknown sites by using malicious DNS Servers. You could be vulnerable; it would depend on your specific network architecture and configuration. HTTPS data may still remain encrypted and protected, despite being routed to an attacker’s destination. In summary, an attacker could use this vulnerability as a springboard to launch additional attacks that may be more likely to succeed when leveraging the compromised network.

Q10: Why are some software fixes targeted for a later release date than others?
A10: RUCKUS is working closely with our chipset vendors to incorporate and qualify the fixes as quickly as possible for our customers and partners. Given the complexity of the attacks and their fixes, and the large number of releases we support, certain releases have been prioritized earlier than others. We recommend the mitigation strategies above to reduce the risk of exposure to FragAttacks while the fix becomes available.

Q11: Will upgrading my AP and controller software fix the problem?
A11: The vulnerability is both on the AP and the client side. Therefore, until clients also receive patches, this vulnerability may not be completely fixed. Network controllers are not vulnerable and do not require patching.

Q12: Does this affect IoT devices (e.g., security cameras, etc.) ?
A12: This affects all clients and APs that use the Wi-Fi protocol (802.11). It does not affect devices that run on other protocols (e.g., Bluetooth^® Low Energy, Zigbee, etc.)

Q13: Are end-to-end secure transactions also broken (HTTPS, etc.)?
A13: No. If the web server is running the latest versions of underlying protocols, then end-to-end transactions are secure.

Q14: Does this mean WPA3 or other security standards are broken?
A14: No. Three of the CVEs describe previously-undiscovered design flaws in the Wi-Fi protocol (802.11) that has been in production usage since 1997. The remaining CVEs describe various implementation flaws found in some, but not all, Wi-Fi clients, IoT devices, and Wi-Fi network equipment. All of these flaws can be addressed with software updates coupled with proper network security configuration and the security researcher identifying these vulnerabilities has provided recommendations to address each issue. The processes used by security researchers to identify and responsibly report each new security vulnerability work and help to prevent actual attacks from successful exploitation of these vulnerabilities outside of research lab environments.

Q15: Why is CommScope RUCKUS disclosing this now?
A15: An issue of this magnitude requires collaboration among multiple parties to ensure that responses and patches can be prepared in advance. The Wi-Fi Alliance, in cooperation with the security research author, and the vendor community chose to share this flaw on 11 May 2021.

Q16: Who is involved in producing a solution?
A16: The Wi-Fi Alliance and all associated vendors are collaborating with silicon chipset manufacturers to produce a solution.

Q17: Are all the silicon chipset manufacturers affected the same way?
A17: All silicon chipset vendors are affected since this affects the 802.11 protocol. However, there are variations to what extent each vulnerability affects every product. One of the attacks (CVE-2020-24588: Accepting non-SPP A-MSDU frames) targets all Wi-Fi client types, IoT devices, and access points.

Another attack (CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers) targets all IoT devices and access points and most Wi-Fi client types. The remaining attacks target some Wi-Fi clients and IoT devices and may target consumer grade access points (home routers) but not Enterprise grade access points.

Q18: Will the fix lead to interoperability problems or performance degradation?
A18: No. We do not expect interoperability issues or performance degradations due to the fixes for the vulnerabilities.

Q19: I picked up the releases you mention, but the release notes do not mention anything about the vulnerabilities. Are they really fixed?
A19: The software versions with fixes and their release notes were made available prior to the public announcements of the FragAttacks vulnerability. In accordance with standard practice, there was an embargo on the public release of information about the vulnerabilities until 11 May 2021. After 11 May 2021, the release notes will be updated to explicitly mention the FragAttacks vulnerability. If you downloaded and installed the software versions mentioned above, please be assured that the fixes are present in the code.

Q20: Have you verified that the fix works?
A20: Yes, all software versions in the download link have been verified to contain the fixes and have gone through our QA testing cycle that is applied to any customer release of software.

Q21: Are the FragAttacks SZ software AP patches compatible with other SZ releases? Can we use these AP patches for our AP zones running older firmware?
A21: Yes, the fixed FragAttacks software AP patches are compatible with and tested by QA to validate compatibility with other SZ software releases, including different compatible controller versions. Since the fix is in AP software, you would need to update all your zones firmware (including the ones running previous versions with the corresponding patch).  More details about AP firmware compatibility with different SZ software versions can be found in section ‘Multiple AP Firmware Support in the SZ100/vSZ-E/SZ300/vSZ-H’ of Release Notes and/or Upgrade Guides.

Q22: If I do not upgrade, are there logs that tell me that I have been attacked?
A22: While currently there are no logs that would give you such details, implementing some of the mitigation strategies outlined above may potentially help alert you to certain aspects of this attack.

Q23: After upgrading, do you still recommend enabling WPA3 and/or other suggested features?
A23: The mitigation strategies outlined above are general best practices for running and maintaining a secure network, regardless of the FragAttacks vulnerability. If you do choose to implement one or more of them after applying the security patches, please read the important technical considerations mentioned in the mitigation section before you decide to implement each strategy.