Wireless Data Exfiltration Vulnerability

On May 12, 2021, a newer vulnerability affecting most wireless-enabled devices was discovered and an advisory was issued by CIS (Center for Internet Security). The CVEs are listed below:

A vulnerability exists in the 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) that could allow an attacker to:

Inject arbitrary network packets (CVE-2020-24588)
Decrypt selected fragments when another device sends fragmented frames. (CVE-2020-24587)
Inject arbitrary network packets and/or exfiltrate user data. (CVE-2020-24586)

While this vulnerability was only discovered recently, it affects all wireless security protocols, meaning that any wireless device dating back to 1997 (the introduction of wireless devices and wireless security) are susceptible to attack.

Security updates were prepared during a 9-month-long coordinated disclosure, supervised by the Wi-Fi Alliance and ICASI, to ensure devices were able to receive updates to be protected from attacks targeting these vulnerabilities. If you have wi-fi enabled devices, ensure no devices are vulnerable to this attack by reviewing all wireless capable devices and verifying that they are updated. If updates for your devices are not yet available, some of these attacks may be mitigated by:

Ensuring HTTPS is used when visiting websites. This will mitigate sensitive data exfiltration techniques that an attacker can use
Manually configure your DNS server so that it cannot be poisoned.
Specific to Wi-Fi configurations: Disable fragmentation, disable pairwise rekeys, and disable dynamic fragmentation in Wi-Fi 6 devices.

One attack method allows an attacker to intercept and modify part of the header of the encrypted transported data. An attacker can abuse this by targeting the network a device is on and sending the user a specially crafted email. This email, when opened, would load an image that is hosted on the attacker’s server, which, instead of an image, sends a TCP packet to take over the connection as a rouge access point, even handling the DNS requests.

Another attack method, a fragmentation attack, utilizes partial packets (fragments) to craft malicious packets to then intercept and decrypt packets. This technique, while only possible in rare conditions, can also be used to exfiltrate selected client data.

OCD Tech can assist your organization by scanning your environment to determine if you have vulnerable devices, and can help you obtain the necessary updates or advise on alternative remediations. Please contact us for a consultation.

Listed below are other CVEs that were released as part of the previously mentioned vulnerability findings:

A vulnerability exists in Samsung Galaxy S3 i9305 4.4.4 (discontinued Samsung phone) devices that could allow an attacker to:

Inject arbitrary network packets independent of the network configuration. (CVE-2020-26145)
Inject arbitrary network packets independent of the network configuration. (CVE-2020-26144)
Exfiltrate selected fragments. (CVE-2020-26146)

A vulnerability exists in ALFA Windows 10 driver:

6.1316.1209 for AWUS036H that could allow an attacker to inject arbitrary data frames independent of the network configuration. (CVE-2020-26140)
6.1316.1209 for AWUS036H that could allow an attacker to inject and possibly decrypt packets. (CVE-2020-26141)
1030.36.604 for AWUS036ACH that could allow an attacker to inject arbitrary data frames independent of the network configuration. (CVE-2020-26143)

A vulnerability exists in the kernel in NetBSD 7.1 that could allow an attacker to:

Launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients. (CVE-2020-26139)

A vulnerability exists in the Linux kernel 5.8.9 that could: