CVE-2020-24587Use of a Broken or Risky Cryptographic Algorithm in Kernel

CWE-327Use of a Broken or Risky Cryptographic AlgorithmCWE-345Insufficient Verification of Data AuthenticityCWE-772Missing Release of Resource after Effective LifetimeCWE-99Resource InjectionCWE-326Inadequate Encryption Strength33 documents15 sources
Severity
2.6LOWNVD
OSV3.5
EPSS
0.5%
top 34.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
21
Linux KernelDebian Firmware-nonfreeDebian Linux+18 more
Timeline
PublishedMay 11
Latest updateMar 14

Description

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages22 packages

debiandebian/linux< firmware-nonfree 20210818-1 (bookworm)
NVDlinux/linux_kernel4.44.4.271+6
debiandebian/firmware-nonfree< firmware-nonfree 20210818-1 (bookworm)
Debianlinux/linux_kernel< 5.10.46-1+3
Ubuntulinux/linux_kernel< 4.15.0-151.157+1

Also affects: Debian Linux 9.0

🔴Vulnerability Details

10
GHSA
GHSA-gx7f-9hjx-j92p: The 8022022-05-24
OSV
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities2021-07-20
OSV
linux-kvm vulnerabilities2021-06-25
OSV
linux-oem-5.10 vulnerabilities2021-06-23
OSV
linux, linux-aws, linux-aws-5.8, linux-azure, linux-azure-5.8, linux-gcp, linux-gcp-5.8, linux-hwe-5.8, linux-kvm, linux-oracle, linux-oracle-5.8, linux-raspi vulnerabilities2021-06-23

📋Vendor Advisories

16
CISA ICS
Siemens SIMATIC2024-03-14
CISA ICS
Mitsubishi Electric GT25-WLAN (Update A)2022-04-12
Android
CVE-2020-24587: WLAN2021-10-01
CISA ICS
Hitachi ABB Power Grids TropOS2021-08-24
Ubuntu
Linux kernel vulnerabilities2021-07-20

🕵️Threat Intelligence

5
Krebs
Microsoft Patch Tuesday, May 2021 Edition2021-05-11
Qualys
Microsoft & Adobe Patch Tuesday (May 2021) – Qualys covers 85 Vulnerabilities, 26 Critical2021-05-11
Krebs
Microsoft Patch Tuesday, May 2021 Edition2021-05-11
Crowdstrike
May 2021 Patch Tuesday: Updates and Analysis
Crowdstrike
May 2021 Patch Tuesday: Updates and Analysis

💬Community

1
HackerOne
Fragmentation and Aggregation Flaws in Wi-Fi2021-07-23