Fragmentation and aggregation attacks (FragAttacks) are WLAN vulnerabilities discovered by Mathy Vanhoef, who created this webpage to provide more information about them. Three of these vulnerabilities are 802.11 specification design flaws, and they are probably as old as the 802.11 specification itself. Aggregation was added in 802.11n, which means this vulnerability has been in the design for over 10 years. Nine of these vulnerabilities are implementation flaws. As the name implies, these flaws are triggered with fragmentation and aggregation anomalies. One of the implementation flaws is similar to one found with Defensics® FuzzBox 802.11 test suites.
The worst of the design flaws allows an aggregation attack in which a malicious attacker can inject extra packets to WLAN frames. A victim is tricked into accessing the attacker’s machine on the internet side, or the victim’s access point contains a vulnerability that allows forwarding EAPOL frames. This attack modifies DNS configuration by sending an ICMPv6 router advertisement.
Fragmentation design flaws allow frame fragments to be reassembled incorrectly. Currently these two vulnerabilities don’t have exploitation usage because they require that the client uses fragmentation, which is not that common. However, it is used with Wi-Fi 6.
Four of the nine implementation flaws involve sending plain text frames into an encrypted network. One the implementation flaws is similar to a CVE discovered by Synopsys using Defensics test suites. The particular USB dongle where a vulnerability was found contained the same chipset used in the access points Synopsys used in its tests. This highlights the complexity of WLAN and how many devices there are out there. When Synopsys found these plain text vulnerabilities, the main focus was on the access point side. And because most access points run Linux, there was no study done on Windows Wi-Fi drivers or the client side.
One of the plain text attacks broadcasted fragments that were parsed as full frames in an encrypted network. Another was almost identical in that the plain text frame fragments were parsed as full frames in an encrypted network. The third plain text attack added EtherType to EAPOL and was handled as an encrypted frame. These plain text attacks are trivial to inject and can be used for exploits.
The remaining five FragAttacks involve mixed fragments. Some are encrypted and some are plain text, processing fragmented frames as full and forwarding EAPOL frames without checking the MIC calculation with TKIP cipher suite (WPA1). All are severe vulnerabilities, and one should necessitate an update to firmware and drivers for wireless LAN equipment.
Synopsys FuzzBox 802.11 test suites was able to detect a FragAttack that was sending plain text into an encrypted network. Often vulnerabilities like FragAttacks are challenging to detect via fuzzing because they don’t make the system reboot or stop functioning while testing. Instead, the system under test behaves as if nothing has happened. To detect FragAttacks, QA teams need to apply good instrumentation. Defensics test suites have a feature called SafeGuard, which can be implemented to detect vulnerabilities like these. Defensics FuzzBox 802.11 test suites have already found parts of FragAttacks using the SafeGuard feature. Synopsys is always improving its state-of-the-art WLAN test suites to find more unknown high-impact vulnerabilities.