-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Aruba Product Security Advisory =============================== Advisory ID: ARUBA-PSA-2021-011 CVE: CVE-2020-24586, CVE-2020-24587, CVE-2020-24588, CVE-2020-26139 CVE-2020-26140, CVE-2020-26141, CVE-2020-26142, CVE-2020-26143, CVE-2020-26144, CVE-2020-26145, CVE-2020-26146, CVE-2020-26147 Publication Date: 2021-May-11 Last Updated: 2021-June-08 Status: Confirmed Severity: Medium Revision: 2 Title ===== 802.11 Frame Aggregation and Fragmentation Vulnerabilities Overview ======== Twelve new vulnerabilities related to different components in the implementation of the 802.11 standard have been published. Successful exploitation of each one of these vulnerabilities can result in sensitive data disclosure and possibly traffic manipulation. Unaffected Products =================== All Aruba products are not affected by the following vulnerabilities: CVE-2020-24586 CVE-2020-24587 CVE-2020-26139 CVE-2020-26141 CVE-2020-26142 CVE-2020-26144 CVE-2020-26145 Affected Products ================= The following products are affected by CVE-2020-24588 and CVE-2020-26146: All Aruba Instant Access Points: - Aruba Instant 6.4.x: prior to 6.4.4.8-4.2.4.19 - Aruba Instant 6.5.x: prior to 6.5.4.19 prior to 6.5.4.20 if using IAP-1xx series - Aruba Instant 8.3.x: prior to 8.3.0.15 prior to 8.3.0.16 if using RAP-155 series - Aruba Instant 8.5.x: prior to 8.5.0.12 prior to 8.5.0.13 if using RAP-155 series - Aruba Instant 8.6.x: prior to 8.6.0.8 prior to 8.6.0.9 if using RAP-155 series - Aruba Instant 8.7.x: prior to 8.7.1.2 All ArubaOS Access Points when managed by hardware or virtual implementations of Aruba Mobility Controllers (standard or FIPS): - ArubaOS 6.4.x: prior to 6.4.4.25 - ArubaOS 6.5.x: prior to 6.5.4.19 prior to 6.5.4.20 if using AP-1xx series - ArubaOS 8.3.x: prior to 8.3.0.15 prior to 8.3.0.16 if using AP-1xx series - ArubaOS 8.5.x: prior to 8.5.0.12 prior to 8.5.0.13 if using AP-1xx series - ArubaOS 8.6.x: prior to 8.6.0.8 prior to 8.6.0.9 if using AP-1xx series - ArubaOS 8.7.x: prior to 8.7.1.2 Aruba Instant On: - prior to 2.3.0 Aruba views the vulnerabilities listed for the above products as Medium severity. The following products are affected by CVE-2020-26140, CVE-2020-26143, CVE-2020-26147 and CVE-2020-26146: Aruba User Experience Insight (UXI) Sensors UX-F5C, UX-G5E, and UX-G5C: - all current versions Aruba views these vulnerabilities for the UXI Sensors as Low severity. Other Aruba products not listed above, including Aruba Mobility Conductor (formerly Mobility Master) and SD-WAN Gateways are not affected by these vulnerabilities. Details ======= Vulnerabilities in the implementation of the IEEE 802.11 standard have been uncovered. These vulnerabilities allow an attacker to inject malicious frames in a legitimate Wi-Fi connection, regardless of the type of wireless encryption used. Successful exploitation of these vulnerabilities result in exfiltration of sensitive data or, in conjunction with other known attacks, allows for traffic manipulation. Note that these vulnerabilities might also affect wireless client devices. Non-Aruba devices may also have fixes for these vulnerabilities. Please check with your non-Aruba device vendor for additional details. Specific to the Aruba UXI Sensors, the CVEs in question (CVE-2020-26140, CVE-2020-26143, CVE-2020-26146, and CVE-2020-26147) also have the CVSS scores of Medium severity. Aruba has further analyzed the impact on the functionality of the sensors, and in order for any of these vulnerabilities to be exploited, multiple levels of security not directly related to Wi-Fi, including the product dashboard itself, would have to fail. Therefore these are considered to be low in severity. See the accompanying FAQ document published by Aruba for more detailed information: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-011-FAQ.pdf Accepting non-SPP A-MSDU frames (CVE-2020-24588) --------------------------------------------------------------------- The 802.11 standard allows for encryption of the data payload, but the MAC header remains unencrypted. To cryptographically protect the header fields, it requires a WLAN device to compute additional authentication data (AAD) using some of these header fields. The AAD is used for MIC computation as part of CCMP encryption. The AAD does not include the A-MSDU Present bit from the QoS Control subfield of the 802.11 MAC header by default. The bit is included in AAD only if the capabilities advertised by the Access Point and the client devices include support and mandate for signal and payload protected (SPP) A-MSDU aggregation, as against the default payload protected (PP) A-MSDU aggregation. By using a MitM (Machine-in-the-Middle) technique and altering the A-MSDU bit from the QoS Control subfield of the 802.11 MAC header, an attacker can have access to sensitive data and/ or inject data to the victim. Internal Reference: ATLWL-219 Severity: Medium CVSSv3 Overall Score: 6.1 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Accepting plaintext data frames in a protected network (CVE-2020-26140) --------------------------------------------------------------------- The implementation of the 802.11 standard allows for devices accepting plaintext data frames even in a protected network. By using a MitM (Machine-in-the-Middle) technique in addition to mis-configured tests on the product dashboard, altering what looks like the handshake message in an aggregated frame, an attacker can inject data to the victim. Internal Reference: ASIRT-494 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Accepting fragmented plaintext data frames in a protected network (CVE-2020-26143) --------------------------------------------------------------------- The implementation of the 802.11 standard allows for devices accepting fragmented plaintext data frames even in a protected network. By using a MitM (Machine-in-the-Middle) technique and altering data, an attacker can inject fragmented frames to the victim. Internal Reference: ASIRT-494 Severity: Medium CVSSv3 Overall Score: 6.5 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Reassembling encrypted fragments with non-consecutive packet numbers (CVE-2020-26146) --------------------------------------------------------------------- The 802.11 standard allows for fragmentation of data frames that are larger than a particular value (known as the fragmentation threshold) into more than one MPDU for transmission over the air. On the receiving device, these fragments are then reassembled into the original data frame and passed to the higher layers of the stack. The MAC header includes a Sequence Number (SN) subfield for ordering of the MPDUs irrespective of whether they contain fragmented or unfragmented data. To facilitate fragmentation, the MAC header also includes a Fragment Number (FN) subfield in addition SN – fragments of one data frame have the same SN but different FN. Once encrypted, the MPDUs also have a Packet Number (PN) which is again a consecutively increasing number used for checking against replays. Together, PN are expected to increase linearly with FN and SN. The Aruba Access Point does not check whether all fragments of a frame have consecutive PN, that is, whether the fragments indeed belong to the same frame or not. Consequently, the attacker using a MitM (Machine-in-the-Middle) technique can abuse this vulnerability by mixing fragments of different packets in order to extract user data. Internal Reference: ATLWL-220 Severity: Medium CVSSv3 Overall Score: 4.7 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Reassembling mixed encrypted/plaintext fragments (CVE-2020-26147) --------------------------------------------------------------------- The implementation of the 802.11 standard allows for devices reassemble mixed encrypted and plaintext fragments instead of only accepting only encrypted ones. By using a MitM (Machine-in-the-Middle) technique, an attacker can replace certain encrypted fragments with plaintext ones resulting in data injection to the victim. Internal Reference: ASIRT-494 Severity: Medium CVSSv3 Overall Score: 4.8 CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N Resolution ========== Aruba Instant Access Points: - Aruba Instant 6.4.x: 6.4.4.8-4.2.4.19 and above - Aruba Instant 6.5.x: 6.5.4.19 and above 6.5.4.20 and above if using AP-1xx series - Aruba Instant 8.3.x: 8.3.0.15 and above 8.3.0.16 and above if using RAP-155 series - Aruba Instant 8.5.x: 8.5.0.12 and above 8.5.0.13 and above if using RAP-155 series - Aruba Instant 8.6.x: 8.6.0.8 and above 8.6.0.9 and above if using RAP-155 series - Aruba Instant 8.7.x: 8.7.1.2 and above - Aruba Instant 8.8.x: 8.8.0.0 and above Access Points when managed by hardware or virtual implementations of Aruba Mobility Controllers (standard or FIPS): - ArubaOS 6.4.x: 6.4.4.25 and above - ArubaOS 6.5.x: 6.5.4.19 and above 6.5.4.20 and above if using AP-1xx series - ArubaOS 8.3.x: 8.3.0.15 and above 8.3.0.16 and above if using AP-1xx series - ArubaOS 8.5.x: 8.5.0.12 and above 8.5.0.13 and above if using AP-1xx series - ArubaOS 8.6.x: 8.6.0.8 and above 8.6.0.9 and above if using AP-1xx series - ArubaOS 8.7.x: 8.7.1.2 and above - ArubaOS 8.8.x: 8.8.0.0 and above Aruba Instant On: - 2.3.0 and above Aruba UXI Sensors will be automatically updated once patches are available. The target date is TBD, following which this advisory will be updated. Workarounds =========== None. Exploitation and Public Discussion ================================== These vulnerabilities are being widely discussed in public. A research paper is available describing the vulnerabilities and attack technique at the following URL: https://papers.mathyvanhoef.com/usenix2021.pdf Discovery ========= These vulnerabilities were discovered by Dr. Mathy Vanhoef. Aruba expresses its appreciation and gratitude to Dr. Vanhoef for responsibly disclosing these vulnerabilities to the vendor and open-source communities. Aruba also wants to thank the Wi-Fi Alliance and the Industry Consortium for Advancement of Security on the Internet (ICASI) for coordinating the disclosure of these vulnerabilities. ICASI's advisory has been posted at: https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/ Revision History ================ Revision 1 / 2021-May-11 / Initial release Revision 2 / 2020-June-08 / Included CVEs affecting Aruba UXI Sensors and their associated impact Aruba SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in Aruba Networks products, obtaining assistance with security incidents is available at: http://www.arubanetworks.com/support-services/security-bulletins/ For reporting *NEW* Aruba Networks security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: http://www.arubanetworks.com/support-services/security-bulletins/ (c) Copyright 2021 by Aruba, a Hewlett Packard Enterprise company. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEMd5pP5EnbG7Y0fo5mP4JykWFhtkFAmCZb2MACgkQmP4JykWF htlVzAgAmEAYnNjFDFW/02jkPkXkeUbZRCdg8SrCC5o9PUtzMKO6KVtAWeAhOXJ2 K+EqXaQa03lpkDKgE/PMZv0izIgJitMbw7C0kjilo8Ww1MHRB1qmYuyC4flcWZG4 LVE2iuum7XCYFKY1hsMBR6n/wdrjnolPag+8qZHYvpGNHoZesiGejBJWJceSWZVx +hEyS99eYYU6k0+67iGYS9wivqzmTphEoOru1EDO7YArBi3AN2Dj+t0wcSy915hz EWW9vtV0UdkKWhWQOzGJcgknq9yBC7ZtXox6M09dwVbWdh/TSlIHhS3N64FxA2Qs a7IrrzEaGxd+cOKkIt9VglFsZyWLeQ== =/ZId -----END PGP SIGNATURE-----