Full Report
Twelve vulnerabilities in the implementation of frame aggregation and fragmentation of the 802.11 standard, under the name of FragAttacks, have been published. Successful exploitation of these vulnerabilities could allow an attacker within Wi-Fi range to forge encrypted frames, which could result in sensitive data disclosure and possibly traffic manipulation. The advised Siemens products are only affected by some of the published vulnerabilities. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: FragAttacks (802.11 Frame Aggregation and Fragmentation)
## CVE Details
The Siemens advisory specifically addresses a subset of the twelve "FragAttacks" vulnerabilities. Key identifiers include:
- **CVE-2020-24588**: CVSS 3.1 Score **3.5** (Low) - Accepting non-SPP AMSDU frames.
- **CVE-2020-26139**: CVSS 3.1 Score **5.3** (Medium) - Forwarding EAPOL frames even if not authenticated.
- **CVE-2020-26144**: CVSS 3.1 Score **5.3** (Medium) - Accepting plaintext A-MSDU frames that look like RFC1042 LLC/SNAP headers.
- **CVE-2020-26145**: CVSS 3.1 Score **5.3** (Medium) - Accepting plaintext broadcast fragments as full frames.
- **CVE-2020-26146**: CVSS 3.1 Score **5.3** (Medium) - Reassembling fragments with non-consecutive packet numbers.
- **CVE-2020-26147**: CVSS 3.1 Score **5.4** (Medium) - Reassembling mixed plaintext/encrypted fragments.
- **CWE**: CWE-20 (Improper Input Validation)
## Affected Systems
- **Products**: SCALANCE W industrial wireless modules.
- **Versions**:
- **SCALANCE W1750D family**: All versions < V8.7.1.3.
- **SCALANCE W700 IEEE 802.11ax family (WAM763-1, WAM766-1)**: All versions < V1.2.0.
- **SCALANCE W700 IEEE 802.11n family**: All versions (No fix planned).
- **SCALANCE W1700 IEEE 802.11ac family**: Specific older versions.
- **Configurations**: Devices must have Wi-Fi enabled; impact occurs when using WEP, WPA, WPA2, or WPA3 protocols.
## Vulnerability Description
FragAttacks are design flaws in the IEEE 802.11 (Wi-Fi) standard and programming errors in Wi-Fi implementations. The flaws relate to how the protocol handles **aggregation** (combining multiple packets into one frame) and **fragmentation** (breaking packets into smaller pieces). Vulnerable implementations fail to properly validate if fragments belong to the same frame or if they were received in an encrypted state, allowing attackers to inject malicious packets or exfiltrate data by spoofing/forging frames.
## Exploitation
- **Status**: Proof-of-Concept (PoC) available; research originally published by Mathy Vanhoef.
- **Complexity**: High (Requires specific timing and conditions to intercept/inject frames).
- **Attack Vector**: Adjacent (The attacker must be within Wi-Fi range of the target).
## Impact
- **Confidentiality**: Low to Medium (Selected fragments can be exfiltrated).
- **Integrity**: High (Forged frames can result in traffic manipulation and unauthorized packet injection).
- **Availability**: None reported as a primary impact in this advisory.
## Remediation
### Patches
- **SCALANCE W1750D**: Update to **V8.7.1.3** or later.
- **SCALANCE W-700 (802.11ax)**: Update to **V1.2.0** or later.
- **SCALANCE W-1700 (802.11ac)**: Updates available (refer to Siemens portal for specific firmware links).
### Workarounds
For products where no fix is planned (e.g., 802.11n family) or before patching:
1. **Restrict Access**: Ensure only trusted devices can connect to the Wi-Fi network.
2. **Layered Security**: Use higher-layer encryption (HTTPS, SSH, VPN) to protect data even if the Wi-Fi layer is compromised.
3. **Disable Vulnerable Standards**: Avoid using WEP or older WPA versions where possible.
## Detection
- **Indicators of Compromise**: Difficult to detect via standard logs; requires deep packet inspection (DPI) of wireless traffic to identify non-consecutive fragment sequences or anomalous EAPOL forwarding.
- **Detection Methods**: Wireless Intrusion Detection Systems (WIDS) updated with FragAttack-specific signatures.
## References
- **Siemens Advisory**: hxxps://cert-portal.siemens[.]com/productcert/html/ssa-913875.html
- **Official FragAttacks Research**: hxxps://www.fragattacks[.]com/
- **Technical Paper**: hxxps://papers.mathyvanhoef[.]com/usenix2021.pdf
- **Siemens ProductCERT**: hxxps://www.siemens[.]com/cert/advisories