CVE-2020-24587
published 2021-05-11CVE-2020-24587: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a…
PriorityP415low2.6CVSS 3.1
AVAACHPRNUIRSUCLINAN
EPSS
2.59%
83.4th percentile
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.
Affected
33 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | firmware-nonfree | < firmware-nonfree 20210818-1 (bookworm) | firmware-nonfree 20210818-1 (bookworm) |
| debian | linux | < firmware-nonfree 20210818-1 (bookworm) | firmware-nonfree 20210818-1 (bookworm) |
| android | — | — | |
| linux | linux_kernel | >= 0 < 5.10.46-1 | 5.10.46-1 |
| linux | linux_kernel | >= 0 < 5.10.46-1 | 5.10.46-1 |
| linux | linux_kernel | >= 0 < 5.10.46-1 | 5.10.46-1 |
| linux | linux_kernel | >= 0 < 5.10.46-1 | 5.10.46-1 |
| linux | linux_kernel | >= 0 < 4.15.0-151.157 | 4.15.0-151.157 |
| linux | linux_kernel | >= 0 < 5.4.0-77.86 | 5.4.0-77.86 |
| linux | linux_kernel | >= 4.14 < 4.14.235 | 4.14.235 |
| linux | linux_kernel | >= 4.19 < 4.19.193 | 4.19.193 |
| linux | linux_kernel | >= 4.4 < 4.4.271 | 4.4.271 |
| linux | linux_kernel | >= 4.9 < 4.9.271 | 4.9.271 |
| linux | linux_kernel | >= 5.10 < 5.10.42 | 5.10.42 |
| linux | linux_kernel | >= 5.12 < 5.12.9 | 5.12.9 |
| linux | linux_kernel | >= 5.4 < 5.4.124 | 5.4.124 |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1803 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_1909 | — | — |
| msrc | windows_10_version_2004 | — | — |
| msrc | windows_10_version_20h2 | — | — |
| msrc | windows_7 | — | — |
CVSS provenance
nvdv3.12.6LOWCVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
nvdv2.01.8LOWAV:A/AC:H/Au:N/C:P/I:N/A:N
osv3.5LOW
vendor_cisco6.5MEDIUM
vendor_msrc6.5MEDIUM
vendor_ubuntu3.5LOW
vendor_debian2.6LOW
vendor_redhat2.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gx7f-9hjx-j92p: The 802
ghsa_unreviewed·2022-05-24
CVE-2020-24587 [MEDIUM] CWE-326 GHSA-gx7f-9hjx-j92p: The 802
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.
OSV
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities
osv·2021-07-20·CVSS 3.5
CVE-2021-33909 [LOW] linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities
linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon vulnerabilities
It was discovered that the virtual file system implementation in the Linux
kernel contained an unsigned to signed integer conversion error. A local
attacker could use this to cause a denial of service (system crash) or
execute arbitrary code. (CVE-2021-33909)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fra
OSV
linux-kvm vulnerabilities
osv·2021-06-25·CVSS 3.5
CVE-2021-3609 [LOW] linux-kvm vulnerabilities
linux-kvm vulnerabilities
USN-5000-1 fixed vulnerabilities in the Linux kernel for Ubuntu
20.04 LTS and the Linux HWE kernel for Ubuntu 18.04 LTS. This update
provides the corresponding updates for the Linux KVM kernel for Ubuntu
20.04 LTS.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implement
OSV
linux-oem-5.10 vulnerabilities
osv·2021-06-23·CVSS 3.5
CVE-2021-3609 [LOW] linux-oem-5.10 vulnerabilities
linux-oem-5.10 vulnerabilities
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some situations. A
physically proximate attacker could possibly use this issue to inject
packets or expose sensitive information. (CVE-2020-24586)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation
incorrectly handled encrypted fragments. A physically proximate attacker
could possibly use this issue to decrypt fragments. (CVE-2020-24587)
Mathy Vanhoef discovered that the Linux kernel’s
OSV
linux, linux-aws, linux-aws-5.8, linux-azure, linux-azure-5.8, linux-gcp, linux-gcp-5.8, linux-hwe-5.8, linux-kvm, linux-oracle, linux-oracle-5.8, linux-raspi vulnerabilities
osv·2021-06-23·CVSS 3.5
CVE-2021-3609 [LOW] linux, linux-aws, linux-aws-5.8, linux-azure, linux-azure-5.8, linux-gcp, linux-gcp-5.8, linux-hwe-5.8, linux-kvm, linux-oracle, linux-oracle-5.8, linux-raspi vulnerabilities
linux, linux-aws, linux-aws-5.8, linux-azure, linux-azure-5.8, linux-gcp, linux-gcp-5.8, linux-hwe-5.8, linux-kvm, linux-oracle, linux-oracle-5.8, linux-raspi vulnerabilities
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some
OSV
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-oracle, linux-oracle-5.4, linux-ra
osv·2021-06-23·CVSS 3.5
CVE-2021-3609 [LOW] linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-oracle, linux-oracle-5.4, linux-ra
linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4 vulnerabilities
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation
Kernel
ath11k: Clear the fragment cache during key install
kernel_security·2021-05-11·CVSS 2.6
CVE-2020-24587 [LOW] ath11k: Clear the fragment cache during key install
ath11k: Clear the fragment cache during key install
Currently the fragment cache setup during peer assoc is
cleared only during peer delete. In case a key reinstallation
happens with the same peer, the same fragment cache with old
fragments added before key installation could be clubbed
with fragments received after. This might be exploited
to mix fragments of different data resulting in a proper
unintended reassembled packet to be passed up the stack.
Hence flush the fragment cache on every key installation to prevent
potential attacks (CVE-2020-24587).
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01734-QCAHKSWPL_SILICONZ-1 v2
Cc: [email protected]
Signed-off-by: Sriram R
Signed-off-by: Jouni Malinen
Link: https://lore.kernel.org/r/20210511200110.218dc777836f.I9af6fc76215a35936c4
Kernel
mac80211: prevent mixed key and fragment cache attacks
kernel_security·2021-05-11·CVSS 3.5
CVE-2020-24586 [LOW] mac80211: prevent mixed key and fragment cache attacks
mac80211: prevent mixed key and fragment cache attacks
Simultaneously prevent mixed key attacks (CVE-2020-24587) and fragment
cache attacks (CVE-2020-24586). This is accomplished by assigning a
unique color to every key (per interface) and using this to track which
key was used to decrypt a fragment. When reassembling frames, it is
now checked whether all fragments were decrypted using the same key.
To assure that fragment cache attacks are also prevented, the ID that is
assigned to keys is unique even over (re)associations and (re)connects.
This means fragments separated by a (re)association or (re)connect will
not be reassembled. Because mac80211 now also prevents the reassembly of
mixed encrypted and plaintext fragments, all cache attacks are prevented.
Cc: [email protected]
Sig
OSV
CVE-2020-24587: The 802
osv·2021-05-11·CVSS 2.6
CVE-2020-24587 [LOW] CVE-2020-24587: The 802
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.
Kernel
mac80211: extend protection against mixed key and fragment cache attacks
kernel_security·2021-05-11·CVSS 3.5
CVE-2020-24586 [LOW] mac80211: extend protection against mixed key and fragment cache attacks
mac80211: extend protection against mixed key and fragment cache attacks
For some chips/drivers, e.g., QCA6174 with ath10k, the decryption is
done by the hardware, and the Protected bit in the Frame Control field
is cleared in the lower level driver before the frame is passed to
mac80211. In such cases, the condition for ieee80211_has_protected() is
not met in ieee80211_rx_h_defragment() of mac80211 and the new security
validation steps are not executed.
Extend mac80211 to cover the case where the Protected bit has been
cleared, but the frame is indicated as having been decrypted by the
hardware. This extends protection against mixed key and fragment cache
attack for additional drivers/chips. This fixes CVE-2020-24586 and
CVE-2020-24587 for such cases.
Tested-on: QCA6174 hw3.2 PCI WLAN.
CISA ICS
Siemens SIMATIC
cisa_ics·2024-03-14
Siemens SIMATIC
ICS Advisory
##
Siemens SIMATIC
Release DateMarch 14, 2024
Alert CodeICSA-24-074-07
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SIMATIC
- Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Missing Encryption of Sensitive Data, Incorrect Permission Assignment for Critical Resource, Expected Beha
CISA ICS
Mitsubishi Electric GT25-WLAN (Update A)
cisa_ics·2022-04-12·CVSS 3.5
[LOW] Mitsubishi Electric GT25-WLAN (Update A)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Mitsubishi Electric GT25-WLAN (Update A)
Last RevisedMay 12, 2022
Alert CodeICSA-22-102-04
## 1. EXECUTIVE SUMMARY
- CVSS v3 6.5
- ATTENTION: Exploitable remotely
- Vendor: Mitsubishi Electric
- Equipment: Wireless LAN communication unit GT25-WLAN in GOT2000 Series GT25 or GT27
- Vulnerabilities: Improper Removal of Sensitive Information Before Storage or Transfer, Inadequate Encryption Strength, Missing Authentication for Critical Function, Injection, Improper Input Validation
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled IC
Android
CVE-2020-24587: WLAN
vendor_android·2021-10-01·CVSS 2.6
CVE-2020-24587 [LOW] CVE-2020-24587: WLAN
Android Security Bulletin 2021-10-01
CVE: CVE-2020-24587
Severity: HIGH
Component: WLAN
References: A-175626671
QC-CR#2860131
QC-CR#2868012
*
QC-CR#2875946
[2]
QC-CR#2875950
QC-CR#2874366
CISA ICS
Hitachi ABB Power Grids TropOS
cisa_ics·2021-08-24·CVSS 3.5
[LOW] Hitachi ABB Power Grids TropOS
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Hitachi ABB Power Grids TropOS
Last RevisedAugust 24, 2021
Alert CodeICSA-21-236-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Low attack complexity
- Vendor: Hitachi ABB Power Grids
- Equipment: TropOS
- Vulnerabilities: Injection, Inadequate Encryption Strength, Missing Authentication for Critical Function, Improper Authentication, Improper Validation of Integrity Check Value, Improper Input Validation
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to direct a client that is connected to a TropOS Wi-Fi access point
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2021-07-20·CVSS 3.5
CVE-2021-0129 [LOW] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
It was discovered that the virtual file system implementation in the Linux
kernel contained an unsigned to signed integer conversion error. A local
attacker could use this to cause a denial of service (system crash) or
execute arbitrary code. (CVE-2021-33909)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some situations. A
physically proximate attacker c
Ubuntu
Linux kernel (KVM) vulnerabilities
vendor_ubuntu·2021-06-25·CVSS 3.5
CVE-2020-26145 [LOW] Linux kernel (KVM) vulnerabilities
Title: Linux kernel (KVM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-5000-1 fixed vulnerabilities in the Linux kernel for Ubuntu
20.04 LTS and the Linux HWE kernel for Ubuntu 18.04 LTS. This update
provides the corresponding updates for the Linux KVM kernel for Ubuntu
20.04 LTS.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code.
Ubuntu
Linux kernel (KVM) vulnerabilities
vendor_ubuntu·2021-06-25·CVSS 3.5
CVE-2020-26145 [LOW] Linux kernel (KVM) vulnerabilities
Title: Linux kernel (KVM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-4997-1 fixed vulnerabilities in the Linux kernel for Ubuntu 21.04.
This update provides the corresponding updates for the Linux KVM
kernel for Ubuntu 21.04.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the L
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2021-06-23·CVSS 3.5
CVE-2021-31440 [LOW] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some situations. A
physically proximate attacker could possibly use this issu
Ubuntu
Linux kernel (OEM) vulnerabilities
vendor_ubuntu·2021-06-23·CVSS 3.5
CVE-2021-31440 [LOW] Linux kernel (OEM) vulnerabilities
Title: Linux kernel (OEM) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some situations. A
physically proximate attacker could possibly use this issue to inject
packets or expose sensitive information. (CVE-2020-24586)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation
incorrectly handled encrypted fragments. A physically proximate attacker
could possibly use this issue to decrypt
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2021-06-23·CVSS 3.5
CVE-2020-26139 [LOW] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some situations. A
physically proximate attacker could possibly use this issu
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2021-06-23·CVSS 3.5
CVE-2021-23134 [LOW] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Norbert Slusarek discovered a race condition in the CAN BCM networking
protocol of the Linux kernel leading to multiple use-after-free
vulnerabilities. A local attacker could use this issue to execute arbitrary
code. (CVE-2021-3609)
Piotr Krysiuk discovered that the eBPF implementation in the Linux kernel
did not properly enforce limits for pointer operations. A local attacker
could use this to cause a denial of service (system crash) or possibly
execute arbitrary code. (CVE-2021-33200)
Mathy Vanhoef discovered that the Linux kernel’s WiFi implementation did
not properly clear received fragments from memory in some situations. A
physically proximate attacker could possibly use this issu
Microsoft
Windows Wireless Networking Information Disclosure Vulnerability
vendor_msrc·2021-05-11·CVSS 6.5
CVE-2020-24587 [LOW] Windows Wireless Networking Information Disclosure Vulnerability
Windows Wireless Networking Information Disclosure Vulnerability
FAQ: What type of information could be disclosed by this vulnerability?
An attacker who successfully exploited this vulnerability could disclose the contents of encrypted wireless packets on an affected system.
Windows Wireless Networking: Windows Wireless Networking
MITRE Corporation: MITRE Corporation
Impact: Information Disclosure
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely;DOS:N/A
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5003174
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5003171
Reference: https://support.microsoft.com/help/5003171
Reference: https://c
Cisco
Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021
vendor_cisco·2021-05-11·CVSS 6.5
CVE-2020-24586 [MEDIUM] CWE-345 Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021
Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021
On May 11, 2021, the research paper Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation was made public. This paper discusses 12 vulnerabilities in the 802.11 standard. One vulnerability is in the frame aggregation functionality, two vulnerabilities are in the frame fragmentation functionality, and the other nine are implementation vulnerabilities. These vulnerabilities could allow an attacker to forge encrypted frames, which could in turn enable the exfiltration of sensitive data from a targeted device.
This advisory will be updated as additional information becomes available.
This advisory is available at the following link
Red Hat
kernel: Reassembling fragments encrypted under different keys
vendor_redhat·2021-05-11·CVSS 2.6
CVE-2020-24587 [LOW] CWE-345 kernel: Reassembling fragments encrypted under different keys
kernel: Reassembling fragments encrypted under different keys
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.
A flaw was found in the Linux kernel's WiFi implementation. An attacker within the wireless range can abuse a logic flaw in the WiFi implementation by reassembling packets from multiple fragments under different keys, treating them as valid. This flaw allows an attacker to send a fragment under an incorrect key, treating them as a valid fragment under the new key. The h
Debian
CVE-2020-24587: firmware-nonfree - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) ...
vendor_debian·2020·CVSS 2.6
CVE-2020-24587 [LOW] CVE-2020-24587: firmware-nonfree - The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) ...
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that all fragments of a frame are encrypted under the same key. An adversary can abuse this to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed.
Scope: local
bookworm: resolved (fixed in 20210818-1)
bullseye: open
forky: resolved (fixed in 20210818-1)
sid: resolved (fixed in 20210818-1)
trixie: resolved (fixed in 20210818-1)
Cisco
Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021
vendor_cisco·CVSS 3.1
CVE-2020-24587 Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021
CVE-2020-24587: Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021
On May 11, 2021, the research paper Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation was made public. This paper discusses 12 vulnerabilities in the 802.11 standard. One vulnerability is in the frame aggregation functionality, two vulnerabilities are in the frame fragmentation functionality, and the other nine are implementation vulnerabilities. These vulnerabilities could allow an attacker to forge encrypted frames, which could in turn enable the exfiltration of sensitive data from a targeted device. This advisory will be updated as additional information becomes available. This advisory is available at the
No detection rules found.
No public exploits indexed.
HackerOne
Fragmentation and Aggregation Flaws in Wi-Fi
hackerone·2021-07-23·CVSS 5.3
CVE-2020-26140 [MEDIUM] Fragmentation and Aggregation Flaws in Wi-Fi
Fragmentation and Aggregation Flaws in Wi-Fi
I discovered three design flaws in the Wi-Fi standard and widespread related implementation flaws ([see GitHub overview and test tool](https://github.com/vanhoefm/fragattacks#fragattacks-fragmentation--aggregation-attacks)). **Here I'll specifically cover open source software**. These findings have not received bug bounties from other sources.
# Implementation flaws allowing trivial packet injection
- [CVE-2020-26140](https://nvd.nist.gov/vuln/detail/CVE-2020-26140): Accepting plaintext data frames in a protected network. This allows trivial packet injection. On a Linux client, the AWUS036H network card is vulnerable and two out of four Linux-based **home routers** were vulnerable. On **NetBSD access points**, three out of four tested networ
Krebs
Microsoft Patch Tuesday, May 2021 Edition
blogs_krebs·2021-05-11·CVSS 7.5
[HIGH] Microsoft Patch Tuesday, May 2021 Edition
Microsoft today released fixes to plug at least 55 security holes in its Windows operating systems and other software. Four of these weaknesses can be exploited by malware and malcontents to seize complete, remote control over vulnerable systems without any help from users. On deck this month are patches to quash a wormable flaw, a creepy wireless bug, and yet another reason to call for the death of Microsoft’s Internet Explorer (IE) web browser.
While May brings about half the normal volume of updates from Microsoft, there are some notable weaknesses that deserve prompt attention, particularly from enterprises. By all accounts, the most pressing priority this month is CVE-2021-31166 , a Windows 10 and Windows Server flaw which allows an unauthenticated attacker to remotely execute malici
Qualys
Microsoft & Adobe Patch Tuesday (May 2021) – Qualys covers 85 Vulnerabilities, 26 Critical
blogs_qualys·2021-05-11·CVSS 9.9
CVE-2021-31181 [CRITICAL] Microsoft & Adobe Patch Tuesday (May 2021) – Qualys covers 85 Vulnerabilities, 26 Critical
## Microsoft Patch Tuesday – May 2021
Microsoft patched 55 CVEs in their May 2021 Patch Tuesday release, of which 4 are rated as critical severity. Three 0-day vulnerability patches were included in the release. As of this publication date, none have been exploited.
Qualys released 12 QIDs on the same day, providing vulnerability detection and patch management coverage (where applicable) for all 55 CVEs and the related KBs.
## Critical Microsoft vulnerabilities patched:
CVE-2021-31181 – SharePoint Remote Code Execution Vulnerability
Microsoft released patches addressing a critical RCE vulnerability in SharePoint (CVE-2021-31181). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor.
CVE-2021-31166 – HTTP Protocol Stack Remote Code
Krebs
Microsoft Patch Tuesday, May 2021 Edition
blogs_krebs·2021-05-11·CVSS 7.5
[HIGH] Microsoft Patch Tuesday, May 2021 Edition
Microsoft today released fixes to plug at least 55 security holes in its Windows operating systems and other software. Four of these weaknesses can be exploited by malware and malcontents to seize complete, remote control over vulnerable systems without any help from users. On deck this month are patches to quash a wormable flaw, a creepy wireless bug, and yet another reason to call for the death of Microsoft’s Internet Explorer (IE) web browser.
While May brings about half the normal volume of updates from Microsoft, there are some notable weaknesses that deserve prompt attention, particularly from enterprises. By all accounts, the most pressing priority this month is CVE-2021-31166, a Windows 10 and Windows Server flaw which allows an unauthenticated attacker to remotely execute malicio
Crowdstrike
May 2021 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] May 2021 Patch Tuesday: Updates and Analysis
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
May 2021 Patch Tuesday: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] May 2021 Patch Tuesday: Updates and Analysis
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
http://www.openwall.com/lists/oss-security/2021/05/11/12https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.mdhttps://lists.debian.org/debian-lts-announce/2021/06/msg00019.htmlhttps://lists.debian.org/debian-lts-announce/2021/06/msg00020.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00002.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWuhttps://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63https://www.fragattacks.comhttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.htmlhttp://www.openwall.com/lists/oss-security/2021/05/11/12https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.mdhttps://lists.debian.org/debian-lts-announce/2021/06/msg00019.htmlhttps://lists.debian.org/debian-lts-announce/2021/06/msg00020.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00002.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWuhttps://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63https://www.fragattacks.comhttps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html
2021-05-11
Published