On May 11, 2021, the Industry Consortium for Advancement of Security on the Internet (ICASI) announced the coordinated disclosure of a series of vulnerabilities related to the functionality of Wi-Fi devices. The complete list of vulnerabilities is listed below. Exploitation of these vulnerabilities may result in data exfiltration.
Of these issues listed below, only CVE-2020-24588 affects Juniper Networks Mist Access Points (APs). Successful exploitation of CVE-2020-24588 may allow an attacker to inject arbitrary network packets which could be used to spoof servers and conduct man-in-the-middle (MITM) attacks, in protected Wi-Fi networks, including WEP, WPA, WPA2, and WPA3.
What is this vulnerability?
The DeAgg vulnerability, also known as CVE-2020-24588, is a vulnerability discovered in the 802.11 protocol, specifically in the implementation of aggregated frames. The vulnerability could allow an attacker to flip the “is aggregated” flag in the 802.11 header, which would cause the frame payload to be parsed differently and potentially allow for packet injection.
Impact of this vulnerability?
The risk of a successful attack is low, as the vulnerability requires an attacker to take a man-in-the-middle position, and also a webserver under the control of the attacker. The client would need to connect to the man-in-the-middle AP, and in some way visit the attacker’s webserver. Subsequently a specially crafted packet with injected data is sent to carry out additional attacks.
What action is needed to address this vulnerability?
All Mist APs are vulnerable to the DeAgg vulnerability (except BT11), and it is recommended to upgrade to a fixed firmware version as soon as possible. Mist has firmware versions with remediation for this vulnerability available for all Access Points as noted in the following table. :
|Platform||Recommended Fixed Version||Other Available Fixed Versions|
|AP41||0.8.21602||0.5.17562, 0.7.20564, 0.8.21602, 0.9.22801|
|AP43||0.8.21602||0.6.19227, 0.7.20564, 0.8.21602, 0.9.22801|
|AP61||0.8.21602||0.5.17562, 0.7.20564, 0.8.21602, 0.9.22801|
|AP63||0.8.21602||0.6.19227, 0.7.20564, 0.8.21602, 0.9.22801|
Note: Mist Edge is not affected by the disclosed vulnerabilities
Where can I find additional information regarding the fixed firmware versions?
Release notes for the fixed versions can be found can be found at the following link: https://www.mist.com/documentation/firmware
Is Mist impacted by the other vulnerabilities disclosed?
- Mist is not vulnerable to the DeFrag vulnerability – CVE-2020-24586 and CVE-2020-24587- however additional protection has been added in the fixed releases.
- The following vulnerabilities are not applicable to any Mist platform nor is Mist vulnerable to CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26142, CVE-2020-26143, CVE-2020-26144, CVE-2020-26145, CVE-2020-26146, or CVE-2020-26147.
Full list of disclosed vulnerabilities
|CVE-2020-24586||Not clearing fragments from memory when (re)connecting to a network|
|CVE-2020-24587||Reassembling fragments encrypted under different keys|
|CVE-2020-24588||Accepting non-SPP A-MSDU frames|
|CVE-2020-26139||Forwarding EAPOL frames even though the sender is not yet authenticated|
|CVE-2020-26140||Accepting plaintext data frames in a protected network|
|CVE-2020-26141||Not verifying the TKIP MIC of fragmented frames|
|CVE-2020-26142||Processing fragmented frames as full frames|
|CVE-2020-26143||Accepting fragmented plaintext data frames in a protected network|
|CVE-2020-26144||Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network)|
|CVE-2020-26145||Accepting plaintext broadcast fragments as full frames (in an encrypted network)|
|CVE-2020-26146||Reassembling encrypted fragments with non-consecutive packet numbers|
|CVE-2020-26147||Reassembling mixed encrypted/plaintext fragments|
Who to contact for additional information?
Please contact Mist Support at firstname.lastname@example.org with any questions or concerns.
Q. Will enabling WPA3 protect me from this attack?
A. CVE-2020-24588 is specific to the 802.11 header itself which is not encrypted by MFA. Enabling WPA3 will not protect you from this specific vulnerability, however it may help reduce the risk of MiTM thanks to Protected Management Frames (PMF).
Q. Do I also need to update my client devices?
A. Most likely yes. All major client vendors (Apple, Google, Samsung, Microsoft etc.) have been notified of the disclosed vulnerabilities and if impacted should communicate the appropriate information and necessary actions to their customers.
Q. Is Mist Edge impacted by these vulnerabilities?
A. No. As Mist Edge is not a Wireless LAN Controller and does not process or forward any 802.11 frames, it is not impacted by any of the disclosed vulnerabilities.
Q. Is there a software workaround for this issue?
A. No, there is no software workaround for this issue.
Q. How urgently should I upgrade the firmware on my Access Points?
A. Mist’s opinion is the risk of successful attack is low, since it requires a skilled attacker. Over time tools may exist which bring the attack into reach of more attackers. Mist considers upgrading to a fixed version important, but not urgent.
Q. How many other vendors have been affected?
A. Most infrastructure and client vendors appear to have been impacted by at least one or more of these disclosed vulnerabilities.