Advisory ID: ComtrendAgregation&FragmentationAdvisory-01
Title: Aggregation and Fragmentation Attacks against Wi-Fi
Public Release Date: 5/13/2021
Revision 1.0
Overview:
A new set of vulnerabilities was discovered, referenced as an Aggregation and Fragmentation Attack, that targets the wireless IEEE 802.11 protocol.
We would like to inform you that we recently became aware of two vulnerabilities, namely A-MSDU aggregation and MSDU fragmentation. We have been engaged with the WiFi Alliance to identify the vulnerability details. To date there has been no evidence that the vulnerability has been maliciously taken advantage of. Further technological details will be provided by the WiFi Alliance on an ongoing basis.
Vulnerabilities Explained:
The protocol (IEEE 802.11) that supports Wi-Fi Protected Access and Wired Equivalent Privacy (WEP) characterizes two developments of A-MSDU protection where the regularly deployed one does not provide protection for the A-MSDU present subfield in the plaintext QoS header field. An attacker can exploit this to insert random network packets when this modification is
enabled.
In a Wi-Fi protected network, vulnerable WEP/WPA/WPA2, or WPA3 utilizations can welcome plaintext frames which can be exploited by an attacker to insert random data frames irrespective of the network configuration.
Certain equipment does not necessitate that all elements of a frame are encoded under the same key. An attacker can exploit this to extract preferred fragments when an attacker device sends fragmented frames and the encoded key is renewed.
Equipment may also not remove received fragments from memory once they have reconnected to a network, which can be exploited by an attacker inserting random network packets and/or removing user data.
Susceptible WEP/WPA/WPA2 or WPA3 utilizations can treat fragmented frames as full frames. An attacker can exploit this by inserting random network packets, irrespective of the network configuration.
Susceptible WEP/WPA/WPA2 or WPA3 utilizations can reassemble fragments with non-consecutive packet numbers. An attacker can exploit this by extracting preferred fragments.
Susceptible WEP/WPA/WPA2 or WPA3 utilizations allow second (or ensuing) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An attacker can insert random network packets irrespective of the network configuration.
Access Points (APs) that are vulnerable may accept and process plaintext unicast Wi-Fi frames while verification to an encoded network is taking place whereby an attacker can insert random network packets irrespective of the network configuration.
APs may also allow and process broadcast packets before, during and after authentication to an encoded network, enabling an attacker to insert random network packets irrespective of the network configuration.
Wi-Fi setups that do not verify the Message Integrity of fragmented TKIP frames are potentially susceptible to an attacker decoding packets in WPA/WPA2 networks that support the TKIP data-confidentiality protocol.
Comtrend is in the process of upgrading its firmware to remove these vulnerabilities and will implement the necessary changes as soon as possible.
Upgrade firmware will highly depend on chipset vendor patch schedule. Should you require any further information the on vulnerabilities and patch availability, do not hesitate to contact us.
References:
STATEMENT FROM THE INDUSTRY CONSORTIUM FOR ADVANCEMENT OF SECURITY ON THE INTERNET (ICASI) ON AGGREGATION AND FRAGMENTATION ATTACKS AGAINST WI-FI
https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/
Advisory ID: ComtrendShellshockSecurityAdvisory-01
Title: UPnP Vulnerability
Public Release Date: 11/05/2014
Revision 1.0
Overview:
A new vulnerability nicknamed Shellshock (aka “Bash Bug” or “Bashdoor”) was recently found in the widely used Unix Bash shell -from version 1.13 to 4.3. The Bash shell vulnerability affects many implementations of Linux and Unix systems. This has been publicly
disclosed at CVE-2014-6271. Shellshock has been noted to be a very serious vulnerability because it allows remote code execution and gives the hacker full access to the system. The hacker would be able to get to the shell and execute any kind of program on the target.
Comtrend has investigated our DSL CPEs and switch routers for this vulnerability and found that we are not susceptible. We use an embedded password protected system that uses BusyBox instead of Bash.
We also strongly recommend that providers apply publicly available software patches to servers in your network environment to protect against the vulnerability. For example, while the Comtrend ACS (TR-069 Auto Configuration Server) software is not vulnerable to Shellshock, the Linux or Unix operating systems, in which the ACS software operates, may be vulnerable. To locate resources and applicable patches for your systems, check the National Vulnerability Database summary for CVE-2014-6271: here. Additional variations of the original vulnerability identifier have since been disclosed (see list below).
Related vulnerabilities: