Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2021-05 Out-of-Cycle Security Bulletin: Multiple Products: Multiple vulnerabilities related to aggregation and fragmentation attacks against Wi-Fi (FragAttacks)

0

0

Article ID: JSA11170 SECURITY_ADVISORIES Last Updated: 14 May 2021Version: 7.0
Product Affected:
This issue affects Mist Access Point Firmware versions 0.5, 0.6, 0.7, 0.8, 0.9. Affected platforms: AP12, AP21, AP32, AP33, AP41, AP43, AP61, AP63. This issue affects Wi-Fi Mini-Physical Interface Module (Mini-PIM). Affected platforms: SRX Series.
Problem:

On May 11, 2021, the Industry Consortium for Advancement of Security on the Internet (ICASI) announced the coordinated disclosure of a series of vulnerabilities related to the functionality of Wi-Fi devices. The complete list of vulnerabilities is listed below. Exploitation of these vulnerabilities may result in data exfiltration.

Of these issues listed below, only CVE-2020-24588 affects Juniper Networks Mist Access Points (APs). Successful exploitation of CVE-2020-24588 may allow an attacker to inject arbitrary network packets which could be used to spoof servers and conduct man-in-the-middle (MITM) attacks, in protected Wi-Fi networks, including WEP, WPA, WPA2, and WPA3.

This issue affects Juniper Networks Mist Access Point Firmware:

  • 0.5 versions prior to 0.5.17562 on AP21, AP41, AP61 Series;
  • 0.6 versions prior to 0.6.19227 on AP43, AP63 Series;
  • 0.7 versions prior to 0.7.20564 on AP41, AP43, AP61, AP63 Series;
  • 0.8 versions prior to 0.8.21602 on AP12, AP32, AP33, AP41, AP43, AP61, AP63 Series;
  • 0.9 versions prior to 0.9.22801 on AP12, AP32, AP33, AP41, AP43, AP61, AP63 Series.

Mist Access Points are not affected by any of the other vulnerabilities listed below. However, additional protective measures have been implemented to defend against the vulnerabilities identified as CVE-2020-24586 and CVE-2020-24587.

All of these vulnerabilities also affect the Wi-Fi Mini-Physical Interface Module (Mini-PIM) for branch SRX Series Services Gateways.

This issue was discovered during external security research.

The associated CVE IDs are as follows:

CVE Summary
CVE-2020-24586 Not clearing fragments from memory when (re)connecting to a network
CVE-2020-24587 Reassembling fragments encrypted under different keys
CVE-2020-24588 Accepting non-SPP A-MSDU frames
CVE-2020-26139 Forwarding EAPOL frames even though the sender is not yet authenticated
CVE-2020-26140 Accepting plaintext data frames in a protected network
CVE-2020-26141 Not verifying the TKIP MIC of fragmented frames
CVE-2020-26142 Processing fragmented frames as full frames
CVE-2020-26143 Accepting fragmented plaintext data frames in a protected network
CVE-2020-26144 Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network)
CVE-2020-26145 Accepting plaintext broadcast fragments as full frames (in an encrypted network)
CVE-2020-26146 Reassembling encrypted fragments with non-consecutive packet numbers
CVE-2020-26147 Reassembling mixed encrypted/plaintext fragments
Solution:
The following firmware versions for the Juniper Networks Mist Access Points have been updated to resolve this specific issue (CVE-2020-24588): 0.5.17562, 0.6.19227, 0.7.20564, 0.8.21602, 0.9.22801, and all subsequent releases.
Workaround:

There are no known workarounds for this issue.
 

Implementation:
Software releases or updates are available for download at https://support.juniper.net/support/downloads/
For Mist platform firmware updates please refer to https://www.mist.com/documentation/mist-security-advisory-fragattacks-and-faq
 
Modification History:
2021-05-11: Initial Publication.
2021-05-14: Updated fixed releases of firmware to include 0.9.22801.

CVSS Score:
5.7 (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
  • The Juniper SIRT would like to thank Mathy Vanhoef of New York University Abu Dhabi for identifying these issues, reporting them to industry, and participating in the coordinated disclosure.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search