CPSEC-486: Cradlepoint Wi-Fi Enabled Hardware Vulnerable to FragAttack (Wi-Fi Packet Fragmentation Vulnerabilities)
2021-05-21 20:28:13
SUMMARY:
Recent publicly released vulnerabilities found in the Wi-Fi protocol regarding how Wi-Fi handles fragmentation of packets, affect all Wi-Fi chipsets. Vendors have been releasing patches and Cradlepoint R&D is engaging our Wi-Fi chipset vendors for integrating patches into NCOS. Exploitation of these vulnerabilities requires a threat actor to be in range of a device’s wifi network, limiting the attack surface and lowering the overall risk. Cradlepoint will update this alert as progress is made towards resolution.
Public Disclosure: https://www.fragattacks.com/
Affected Components: Cradlepoint hardware with Wi-Fi running any version of NCOS
Recommendations: Excerpt from fragattacks.com for unpatched devices
"First, it's always good to remember general security best practices: update your devices, don't reuse your passwords, make sure you have backups of important data, don't visit shady websites, and so on.
In regards to the discovered Wi-Fi vulnerabilities, you can mitigate attacks that exfiltrate sensitive data by double-checking that websites you are visiting use HTTPS. Even better, you can install the HTTPS Everywhere plugin. This plugin forces the usage of HTTPS on websites that are known to support it.
To mitigate attacks where your router's NAT/firewall is bypassed and devices are directly attacked, you must assure that all your devices are updated. Unfortunately, not all products regularly receive updates, in particular smart or internet-of-things devices, in which case it is difficult (if not impossible) to properly secure them.
More technically, the impact of attacks can also be reduced by manually configuring your DNS server so that it cannot be poisoned. Specific to your Wi-Fi configuration, you can mitigate attacks (but not fully prevent them) by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices."
NCOS does not currently support disabling fragmentation or pairwise rekeys. As a best practice, Cradlepoint recommends reducing the transmit power of Wi-Fi radios to prevent wireless signals emanating outside of an organization.