Juniper Networks has released an out-of-cycle emergency patch that fixes a “FragAttack” WiFi vulnerability in Juniper Networks Mist Access Points (APs).
On May 11, 2021, the Industry Consortium for Advancement of Security on the Internet (ICASI) announced the coordinated disclosure of a series of vulnerabilities known as FragAttack that impact WiFi devices. Exploitation of these vulnerabilities could result in data exfiltration.
Although 12 different vulnerabilities were discovered as part of FragAttack disclosure, just one of those CVE-2020-24588 affects Juniper Networks Mist Access Points (APs).
“Successful exploitation of CVE-2020-24588 may allow an attacker to inject arbitrary network packets which could be used to spoof servers and conduct man-in-the-middle (MITM) attacks, in protected Wi-Fi networks, including WEP, WPA, WPA2, and WPA3,” Juniper stated in the out-of-cycle advisory.
This flaw is rated Medium severity (CVSS base score of 5.7) and affects Mist Access Point Firmware versions 0.5, 0.6, 0.7, 0.8 and 0.9.
Moreover, affected platforms include AP12, AP21, AP32, AP33, AP41, AP43, AP61 and AP63, as well as the Wi-Fi Mini-Physical Interface Module (Mini-PIM) for branch SRX Series Services Gateways.
FragAttack vulnerabilities
According to the ICASI advisory, the full list of FragAttack vulnerabilities are as follows:
- CVE-2020-24586: Not clearing fragments from memory when (re)connecting to a network
- CVE-2020-24587: Reassembling fragments encrypted under different keys
- CVE-2020-24588: Accepting non-SPP A-MSDU frames*
- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated
- CVE-2020-26140: Accepting plaintext data frames in a protected network
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames
- CVE-2020-26142: Processing fragmented frames as full frames
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network)
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network)
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
* CVE-2020-24588 affects Juniper Networks Mist Access Points (APs).
The Wi-Fi Alliance also published a security update on fragmentation on May 11, 2021.