Vulnerability - Juniper Networks

DeAgg vulnerability - Advisory CVE-2020-24588
AA Technical Bulletin 210519-02


Download AATB-210519-02-DeAgg vulnerability Version 1 (pdf) >>

 

** This Technical Bulletin shall not replace any information or handling instructions provided from the manufacturer. Please see this paper as additional resource to help you to solve the issue. Also consider the newest Release Notes published by manufacturer to be sure that your environment is eligible for the update.
**Please note that upgrading the infrastructure is only one part of the solution. All 802.11 client
devices should be upgraded. Only the complete upgrade of all device will ensure security regarding
802.11 Security Advisory.

A. Introduction
A.01 About DeAgg vulnerability
A.02 Reason
A.03 General Approach
A.04 Prerequisites
A.05 Aeroaccess Risk Assessment
A.06 Detailed description
B. Juniper /Mist Deployment
B.01 Juniper /Mist Affected Devices
B.02 Juniper /Mist Solution
B.03 Juniper /Mist Workaround
B.04 Juniper /Mist Implementation
B.05 Upgrade Juniper/Mist Firmware
C. Aeroaccess Recommendation
C.01 Background Information
C.02 Pre-Test
C.03 Contract Status
C.04 Recommendation for Service Units
C.05 Deployment Phase 1
C.06 Deployment Phase 2

 

A. Introduction
A.01 About DeAgg Vulnerability
On May 11, 2021, the Industry Consortium for Advancement of Security on the Internet (ICASI) announced the coordinated disclosure of a series of vulnerabilities related to the functionality of Wi-Fi devices. Exploitation of these vulnerabilities may result in data exfiltration.


https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/

 

Regarding these issues listed above, only CVE-2020-24588 affects Mist Networks Access Points (APs). However, be aware that all devices using 802.11 chipsets, also client devices, are affected and shall be upgraded. Successful exploitation of CVE-2020-24588 may allow an attacker to inject arbitrary network packets which could be used to spoof servers and conduct man-in-the-middle (MITM) attacks, in protected Wi-Fi networks, including WEP, WPA, WPA2, and WPA3.


A.02 Reason
The DeAgg vulnerability, is a vulnerability discovered in the 802.11 protocol, specifically in the implementation of aggregated frames. The vulnerability could allow an attacker to flip the "is aggregated" flag in the 802.11 header, which would cause the frame payload to be parsed differently and potentially allow for packet injection.


A.03 General Approach
In general, the scope of these attacks is that they may allow an attacker to inject L2 frames that they can more or less control (depending on the vulnerability and attack method) into an otherwise protected network.


Exfiltrate (some) network data under certain conditions; this is specific to the fragmentation issues. A subset of these issues is known to apply to the Linux IEEE 802.11 implementation (mac80211). Where it is affected, the attached patches fix the issues, even if not all of them reference the exact CVE IDs.

 

In addition, driver and/or firmware updates may be necessary, as well as potentially more fixes to mac80211, depending on how drivers are using it.


A.04 Prerequisites
• All devices which are using 802.11 protocol with Firmware not using the related Security Patches.
• Attacker is located close to the attacked devices (man-in-the-middle).

 

A.05 Aeroaccess Risk Assessment
The risk of a successful attack is MEDIUM, as the vulnerability requires an attacker to take a man-in-themiddle position, and also a webserver under the control of the attacker. The client would need to connect to the man-in-the-middle AP, and in some way visit the attacker's webserver. Subsequently a specially crafted packet with injected data is sent to carry out additional attacks.


A.06 Detailed Description
The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities. 

Vulnerabilities in the implementation of the IEEE 802.11 standard have been uncovered. These vulnerabilities allow an attacker to inject malicious frames in a legitimate Wi-Fi connection, regardless of the type of wireless encryption used. 

Successful exploitation of these vulnerabilities results in exfiltration of sensitive data or, in conjunction
with other known attacks, allows for traffic manipulation.
Note that these vulnerabilities might also affect wireless client devices. Non-Juniper/Mist devices may
also have fixes for these vulnerabilities.
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired
Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is
authenticated.
The 802.11 standard allows for fragmentation of data frames that are larger than a particular value (known as the fragmentation threshold) into more than one MPDU for transmission over the air. On the receiving device, these fragments are then reassembled into the original data frame and passed to the higher layers of the stack. The MAC header includes a Sequence Number (SN) subfield for ordering of the MPDUs irrespective of whether they contain fragmented or unfragmented data. To facilitate fragmentation, the MAC header also includes a Fragment Number (FN) subfield in addition SN – fragments of one data frame have the same SN but different FN. Once encrypted, the MPDUs also have a Packet Number (PN) which is again a consecutively increasing number used for checking against replays. Together, PN are expected to increase linearly with FN and SN. The Juniper/Mist Access Point does not check whether all fragments of a frame have consecutive PN, that is, whether the fragments indeed belong to the same frame or not. Consequently, the attacker using a MitM (Machine-in-the-Middle) technique can abuse this vulnerability by mixing fragments of different packets in order to extract user data.


Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets, by accepting non-SPP A-MSDU frames. Attackers can exploit this and get devices to aggregate frames that appear to come from the same source, but don't, allowing for manipulation of the payload. A complete description for the DEAGG
VULNERABILITY you can find here: https://papers.mathyvanhoef.com/usenix2021.pdf

See the accompanying document published by Juniper/Mist for more detailed information:
https://www.mist.com/documentation/mist-security-advisory-fragattacks-and-faq

 

 

B. Juniper /Mist Deployment
B.01 Juniper/Mist Affected Devices
This issue affects Mist Access Point Firmware versions 0.5, 0.6, 0.7, 0.8, 0.9.
Affected Mist devices: AP12, AP21, AP32, AP33, AP41, AP43, AP61, AP63. This issue affects Wi-Fi Mini-Physical Interface Module (Mini-PIM).
Affected Juniper devices: SRX Series.


B.02 Juniper/Mist Solution:
The following firmware versions for the Juniper Networks Mist Access Points have been updated to resolve this specific issue (CVE-2020-24588): 0.5.17562, 0.6.19227, 0.7.20564, 0.8.21602, 0.9.22792 and all subsequent releases.


B.03 Juniper/Mist Workaround
There are no known workarounds for this issue. Only upgrades to released versions will fix the issues.


B.04 Juniper/Mist Implementation
Software releases or updates are available for download directly in Mist platform for all Mist Access
Points (see picture bellow) or at https://www.juniper.net/support/downloads/ for all Juniper devices.

 

B.05 Upgrade Juniper/Mist Firmware
On the following link you can find related Information which Firmware Version you should deploy to solve the issue:
https://www.mist.com/documentation/mist-security-advisory-fragattacks-and-faq

 


C. Aeroaccess Recommendation
C.01 Background Information
These Security Vulnerabilities cause special activities on the manufacturer side outside their planned Software releases. Also, when in this case, the manufacturers have been informed some months before, it also causes urgent activities, which may not always fit with the quality control of standard releases. In order to reduce the risk level for our customers, especially in production or business critical environments, Aeroaccess has made additional efforts deploying and testing the new Firmware releases.


C.02 Pre-Test
Right after announcement of the coordinated disclosure of a series of vulnerabilities Aeroaccess has made different Pre-Tests in our Lab environment to find interoperability issues or other problems.


Tested devices and deployed Firmware release:
Mist AP21 – Firmware upgrade from 0.5.17445 to 0.5.17562
Mist AP41 – Firmware downgrade from 0.9.22801 to 0.8.21602
Mist AP43 – Firmware upgrade from 0.6.19032 to 0.8.21602
Mist AP61 – Firmware upgrade from 0.5.17445 to 0.8.21602


Conclusion:
• we did not find any problems during the update procedure.
• downgrade to recommended version was possible
• downgrade to previous release was also possible
• we did not find any problems connecting the APs after rebooting (max two reboots)
• we did not find any problems with throughput and capacity of the APs
• we did not find any problems connecting the clients to the APs (limited number of lab clients)
• we did not find any problems with resolving DHCP and DNS (also ARP)
• we did not find any problems connecting to the cloud
• we did not find any problems with the client roaming
• we did not find any problems with client association, uplink and downlink
• we did not find any problems with the Bluetooth function (LBS)

 

C.03 Contract status
For the customers without a valid service contract (without a valid subscription SUB-MAN) for the affected products, Juniper/Mist states: "Please contact Mist Support at support@mist.com with any questions or concerns."


For the customers with a valid service contract (with a valid subscription SUB-MAN) for the affected products, Aeroaccess is allowed to deliver the recommended Firmware version per your request.


For the customers with valid Premium Service Contract (APS) for the affected products, Aeroaccess will offer proactive update procedures and support on the individual customer status.


C.04 Recommendation for Service units
In the case that the upgrade may fail and cause Hardware failure, you should have spare units available to cover your business-critical services. If your existing Contract with Aeroaccess does not cover Advanced Hardware Replacement (AHR) please contact our sales (sales@aeroaccess.de) to receive the quote for AHR service.


C.05 Deployment Phase 1
You should plan to deploy the new firmware update first in the Lab or in non-production critical environment. However, these vulnerabilities might also affect wireless client devices, and those nonJuniper/Mist devices should also have fixes for these vulnerabilities. Make sure that you test all your wireless client devices in this lab environment, to guarantee the internal operability.

For the customers with valid Premium Service Contract (APS) for the affected products, Aeroaccess will
offer individual testing with their configuration in Aeroaccess Lab.


C.06 Deployment Phase 2
Before you start final global deployment, you should prepare you environment for the update and be ready for a short network outage (global reboot of all APs).
If you need our direct phone support, please make sure before you start upgrade, that your contract covers this option. In other cases, please request a quote for Technical Service Engineer (TSE) support per hour (sales@aeroaccess.de).


For the customers with valid Premium Service Contract (APS) for the affected products, Aeroaccess will offer individual support windows to schedule deployment and to make sure that one of our TSE support you on this procedure. We will get in contact with you within next few days to discuss the complete approach and to define the time frame for the update.

 

For detailed descriptions and instructions of the different available upgrade procedures please contact our Support Team via
support@aeroaccess.de


Aeroaccess would be happy to provide support and give according guidance.
*In case you get an offer for direct manufacturer support, it's your responsibility and decision how to proceed.


top