Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1627.3
Multiple Vulnerabilities in Frame Aggregation and Fragmentation
Implementations of 802.11 Specification Affecting Cisco Products: May 2021
31 August 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Access Points
IP Phones
Webex series products
Operating System: Cisco
Impact/Access: Reduced Security -- Remote/Unauthenticated
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-26147 CVE-2020-26146 CVE-2020-26145
CVE-2020-26144 CVE-2020-26143 CVE-2020-26142
CVE-2020-26141 CVE-2020-26140 CVE-2020-26139
CVE-2020-24588 CVE-2020-24587 CVE-2020-24586
Reference: ASB-2021.0102
ESB-2021.1587
Original Bulletin:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu
Revision History: August 31 2021: Vendor updated fixed release details for multiple products.
May 17 2021: Vendor updated affected product details
May 12 2021: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations
of 802.11 Specification Affecting Cisco Products: May 2021
Priority: Medium
Advisory ID: cisco-sa-wifi-faf-22epcEWu
First Published: 2021 May 11 18:00 GMT
Last Updated: 2021 August 30 19:06 GMT
Version 1.7: Interim
Workarounds: No workarounds available
Cisco Bug IDs: CSCvx24420 CSCvx24423 CSCvx24425 CSCvx24428 CSCvx24439
CSCvx24440 CSCvx24441 CSCvx24449 CSCvx24452 CSCvx24456
CSCvx60997 CSCvx61001 CSCvx61012 CSCvx61020 CSCvx62876
CSCvx62884 CSCvx62886 CSCvx89821 CSCvy32680 CSCvy32690
CSCvy32694
CVE Names: CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139
CVE-2020-26140 CVE-2020-26141 CVE-2020-26142 CVE-2020-26143
CVE-2020-26144 CVE-2020-26145 CVE-2020-26146 CVE-2020-26147
CWEs: CWE-345 CWE-772 CWE-99
Summary
o On May 11, 2021, the research paper Fragment and Forge: Breaking Wi-Fi
Through Frame Aggregation and Fragmentation was made public. This paper
discusses 12 vulnerabilities in the 802.11 standard. One vulnerability is
in the frame aggregation functionality, two vulnerabilities are in the
frame fragmentation functionality, and the other nine are implementation
vulnerabilities. These vulnerabilities could allow an attacker to forge
encrypted frames, which could in turn enable the exfiltration of sensitive
data from a targeted device.
This advisory will be updated as additional information becomes available.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu
Affected Products
o Cisco is investigating its product line to determine which products may be
affected by these vulnerabilities. As the investigation progresses, Cisco
will update this advisory with information about affected products.
Vulnerable Products
The following table lists Cisco products that are affected by the
vulnerabilities that are described in this advisory. If a future release
date is indicated for software, the date provided represents an estimate
based on all information known to Cisco as of the Last Updated date at the
top of the advisory. Availability dates are subject to change based on a
number of factors, including satisfactory testing results and delivery of
other priority features and fixes. If no version or date is listed for an
affected component (indicated by a blank field and/or an advisory
designation of Interim), Cisco is continuing to evaluate the fix and will
update the advisory as additional information becomes available. After the
advisory is marked Final, customers should refer to the associated Cisco
bug(s) for further details.
CVE ID Cisco Bug ID Fixed Release Availability
Aironet 1532 APs, AP803 Integrated AP on IR829 Industrial Integrated
Services Routers
CVE-2020-24586 Under evaluation N/A
CVE-2020-24587 Under evaluation N/A
CVE-2020-24588 Under evaluation N/A
CVE-2020-26139 Under evaluation N/A
CVE-2020-26140 Under evaluation N/A
CVE-2020-26141 Under evaluation N/A
CVE-2020-26142 Under evaluation N/A
CVE-2020-26143 Under evaluation N/A
CVE-2020-26144 Under evaluation N/A
CVE-2020-26145 Under evaluation N/A
CVE-2020-26146 Under evaluation N/A
CVE-2020-26147 Under evaluation N/A
Aironet 1542 APs, Aironet 1810 APs, Aironet 1815 APs, Aironet 1832 APs,
Aironet 1842 APs, Aironet 1852 APs, Aironet 1800i APs
CVE-2020-24586 Not affected N/A
8.5MR8 (Aug 2021)
8.10MR6 (Jul 2021)
CVE-2020-24587 CSCvx24420 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
8.5MR8 (Aug 2021)
8.10MR6 (Jul 2021)
CVE-2020-24588 CSCvx24420 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
8.5MR8 (Aug 2021)
8.10MR6 (Jul 2021)
CVE-2020-26139 CSCvx24420 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
CVE-2020-26140 Not affected N/A
CVE-2020-26141 Not affected N/A
CVE-2020-26142 Not affected N/A
CVE-2020-26143 Not affected N/A
CVE-2020-26144 Not affected N/A
8.5MR8 (Aug 2021)
8.10MR6 (Jul 2021)
CVE-2020-26145 CSCvx24420 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
8.5MR8 (Aug 2021)
8.10MR6 (Jul 2021)
CVE-2020-26146 CSCvx24420 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
CVE-2020-26147 Not affected N/A
Aironet 1552 APs, Aironet 1552H APs, Aironet 1572 APs, Aironet 1702 APs,
Aironet 2702 APs, Aironet 3702 APs, IW 3702 APs
8.5MR8 (Aug 2021)
CVE-2020-24586 CSCvy32680 8.10MR6 (Jul 2021)
16.12.6 (Aug 2021)
17.3.4
8.5MR8 (Aug 2021)
CVE-2020-24587 CSCvy32680 8.10MR6 (Jul 2021)
16.12.6 (Aug 2021)
17.3.4
CVE-2020-24588 Not affected N/A
CVE-2020-26139 Not affected N/A
CVE-2020-26140 Not affected N/A
CVE-2020-26141 Not affected N/A
CVE-2020-26142 Not affected N/A
CVE-2020-26143 Not affected N/A
CVE-2020-26144 Not affected N/A
CVE-2020-26145 Not affected N/A
CVE-2020-26146 Not affected N/A
CVE-2020-26147 Not affected N/A
Aironet 1560 Series APs, Aironet 2800 Series APs, Aironet Series 3800 APs,
Aironet Series 4800 APs, Catalyst IW 6300 APs, 6300 Series Embedded
Services APs (ESW6300)
8.5MR8 (Aug 2021)
8.10MR6 (Jul 2021)
CVE-2020-24586 CSCvx24449 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
8.5MR8 (Aug 2021)
8.10MR6 (Jul 2021)
CVE-2020-24587 CSCvx24449 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
CVE-2020-24588 Not affected N/A
CVE-2020-26139 Not affected N/A
8.5MR8 (Aug 2021)
8.10MR6 (Jul 2021)
CVE-2020-26140 CSCvy36698 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
CVE-2020-26141 Not affected N/A
CVE-2020-26142 Not affected N/A
8.5MR8 (Aug 2021)
8.10MR6 (Jul 2021)
CVE-2020-26143 CSCvy36698 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
CVE-2020-26144 Not affected N/A
CVE-2020-26145 Not affected N/A
8.5MR8 (Aug 2021)
8.10MR6 (Jul 2021)
CVE-2020-26146 CSCvy36698 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
8.5MR8 (Aug 2021)
8.10MR6 (Jul 2021)
CVE-2020-26147 CSCvy36698 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
Catalyst 9105 APs, Catalyst 9115 APs, Catalyst 9120 APs, Integrated AP on
1100 Integrated Services Routers
8.10MR6 (Jul 2021)
CVE-2020-24586 CSCvx24425 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
8.10MR6 (Jul 2021)
CVE-2020-24587 CSCvx24425 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
8.10MR6 (Jul 2021)
CVE-2020-24588 CSCvx24425 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
CVE-2020-26139 Not affected N/A
CVE-2020-26140 Not affected N/A
CVE-2020-26141 Not affected N/A
CVE-2020-26142 Not affected N/A
CVE-2020-26143 Not affected N/A
CVE-2020-26144 Not affected N/A
CVE-2020-26145 Not affected N/A
CVE-2020-26146 Not affected N/A
CVE-2020-26147 Not affected N/A
Catalyst 9117 APs
8.10MR6 (Jul 2021)
CVE-2020-24586 CSCvx24439 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
8.10MR6 (Jul 2021)
CVE-2020-24587 CSCvx24439 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
8.10MR6 (Jul 2021)
CVE-2020-24588 CSCvx24439 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
8.10MR6 (Jul 2021)
CVE-2020-26139 CSCvx24439 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
CVE-2020-26140 Not affected N/A
CVE-2020-26141 Not affected N/A
CVE-2020-26142 Not affected N/A
CVE-2020-26143 Not affected N/A
8.10MR6 (Jul 2021)
CVE-2020-26144 CSCvx24439 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
8.10MR6 (Jul 2021)
CVE-2020-26145 CSCvx24439 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
8.10MR6 (Jul 2021)
CVE-2020-26146 CSCvx24439 16.12.6 (Aug 2021)
17.3.4
17.6.1 (Jul 2021)
CVE-2020-26147 Not affected N/A
Catalyst 9124 APs ^1 , Catalyst 9130 APs
CSCvx24428 8.10MR6 (Jul 2021)
CVE-2020-24586 CSCvx24452 16.12.6 (Aug 2021)
CSCvx24456 17.3.4
17.6.1 (Jul 2021)
CSCvx24428 8.10MR6 (Jul 2021)
CVE-2020-24587 CSCvx24452 16.12.6 (Aug 2021)
CSCvx24456 17.3.4
17.6.1 (Jul 2021)
CSCvx24428 8.10MR6 (Jul 2021)
CVE-2020-24588 CSCvx24452 16.12.6 (Aug 2021)
CSCvx24456 17.3.4
17.6.1 (Jul 2021)
CSCvx24428 8.10MR6 (Jul 2021)
CVE-2020-26139 CSCvx24452 16.12.6 (Aug 2021)
CSCvx24456 17.3.4
17.6.1 (Jul 2021)
CVE-2020-26140 Not affected N/A
CVE-2020-26141 Not affected N/A
CVE-2020-26142 Not affected N/A
CVE-2020-26143 Not affected N/A
CSCvx24428 8.10MR6 (Jul 2021)
CVE-2020-26144 CSCvx24452 16.12.6 (Aug 2021)
CSCvx24456 17.3.4
17.6.1 (Jul 2021)
CSCvx24428 8.10MR6 (Jul 2021)
CVE-2020-26145 CSCvx24452 16.12.6 (Aug 2021)
CSCvx24456 17.3.4
17.6.1 (Jul 2021)
CSCvx24428 8.10MR6 (Jul 2021)
CVE-2020-26146 CSCvx24452 16.12.6 (Aug 2021)
CSCvx24456 17.3.4
17.6.1 (Jul 2021)
CVE-2020-26147 Not affected N/A
1. Catalyst 9124 APs were not supported until Release 17.5, and the fix
will be available in Release 17.6.1
Meraki GR10, GR60, MR20, MR30H, MR33, MR36, MR42, MR42E, MR44, MR45, MR46,
MR46E, MR52, MR53, MR53E, MR55, MR56, MR70, MR74, MR76, MR84, MR86
CVE-2020-24586 No bug ID MR 27.7.1
CVE-2020-24587 No bug ID MR 27.7.1
CVE-2020-24588 No bug ID MR 27.7.1
CVE-2020-26139 No bug ID MR 27.7.1
CVE-2020-26140 No bug ID MR 27.7.1
CVE-2020-26141 No bug ID MR 27.7.1
CVE-2020-26142 No bug ID MR 27.7.1
CVE-2020-26143 No bug ID MR 27.7.1
CVE-2020-26144 No bug ID MR 27.7.1
CVE-2020-26145 No bug ID MR 27.7.1
CVE-2020-26146 No bug ID MR 27.7.1
CVE-2020-26147 No bug ID MR 27.7.1
Meraki MR12, MR18, MR26, MR32, MR34, MR62, MR66, MR72
CVE-2020-24586 No bug ID MR 26.8.3 (Dec 2021)
CVE-2020-24587 No bug ID MR 26.8.3 (Dec 2021)
CVE-2020-24588 No bug ID MR 26.8.3 (Dec 2021)
CVE-2020-26139 No bug ID MR 26.8.3 (Dec 2021)
CVE-2020-26140 No bug ID MR 26.8.3 (Dec 2021)
CVE-2020-26141 No bug ID MR 26.8.3 (Dec 2021)
CVE-2020-26142 No bug ID MR 26.8.3 (Dec 2021)
CVE-2020-26143 No bug ID MR 26.8.3 (Dec 2021)
CVE-2020-26144 No bug ID MR 26.8.3 (Dec 2021)
CVE-2020-26145 No bug ID MR 26.8.3 (Dec 2021)
CVE-2020-26146 No bug ID MR 26.8.3 (Dec 2021)
CVE-2020-26147 No bug ID MR 26.8.3 (Dec 2021)
Meraki MX64W, MX65W, MX67W, MX67CW, MX68W, MX68CW, Z3, Z3C ^1
CVE-2020-24586 No bug ID MX 17.0 (Oct 2021)
CVE-2020-24587 No bug ID MX 17.0 (Oct 2021)
CVE-2020-24588 No bug ID MX 17.0 (Oct 2021)
CVE-2020-26139 No bug ID MX 17.0 (Oct 2021)
CVE-2020-26140 No bug ID MX 17.0 (Oct 2021)
CVE-2020-26141 No bug ID MX 17.0 (Oct 2021)
CVE-2020-26142 No bug ID MX 17.0 (Oct 2021)
CVE-2020-26143 No bug ID MX 17.0 (Oct 2021)
CVE-2020-26144 No bug ID MX 17.0 (Oct 2021)
CVE-2020-26145 No bug ID MX 17.0 (Oct 2021)
CVE-2020-26146 No bug ID MX 17.0 (Oct 2021)
CVE-2020-26147 No bug ID MX 17.0 (Oct 2021)
1. Cisco will not fix these vulnerabilities in the following Cisco Meraki
products: MX60W and Z1
IP Phone 8861, IP Phone 8865, and IP Conference Phone 8832
CVE-2020-24586 CSCvx60997 14.1(1) (Nov 2021)
CVE-2020-24587 CSCvx60997 14.1(1) (Nov 2021)
CVE-2020-24588 CSCvx60997 14.1(1) (Nov 2021)
CVE-2020-26139 CSCvx60997 14.1(1) (Nov 2021)
CVE-2020-26140 CSCvx60997 14.1(1) (Nov 2021)
CVE-2020-26141 CSCvx60997 14.1(1) (Nov 2021)
CVE-2020-26142 CSCvx60997 14.1(1) (Nov 2021)
CVE-2020-26143 CSCvx60997 14.1(1) (Nov 2021)
CVE-2020-26144 CSCvx60997 14.1(1) (Nov 2021)
CVE-2020-26145 CSCvx60997 14.1(1) (Nov 2021)
CVE-2020-26146 CSCvx60997 14.1(1) (Nov 2021)
CVE-2020-26147 CSCvx60997 14.1(1) (Nov 2021)
IP Phone 6861 and IP Phone 8861 Running Third-Party Call Control (3PCC)
Software
CVE-2020-24586 CSCvx61001 11.3(5) (Sep 2021)
CVE-2020-24587 CSCvx61001 11.3(5) (Sep 2021)
CVE-2020-24588 CSCvx61001 11.3(5) (Sep 2021)
CVE-2020-26139 CSCvx61001 11.3(5) (Sep 2021)
CVE-2020-26140 CSCvx61001 11.3(5) (Sep 2021)
CVE-2020-26141 CSCvx61001 11.3(5) (Sep 2021)
CVE-2020-26142 CSCvx61001 11.3(5) (Sep 2021)
CVE-2020-26143 CSCvx61001 11.3(5) (Sep 2021)
CVE-2020-26144 CSCvx61001 11.3(5) (Sep 2021)
CVE-2020-26145 CSCvx61001 11.3(5) (Sep 2021)
CVE-2020-26146 CSCvx61001 11.3(5) (Sep 2021)
CVE-2020-26147 CSCvx61001 11.3(5) (Sep 2021)
Wireless IP Phone 8821
CVE-2020-24586 CSCvx61012 11.0(6)SR2 (Oct 2021)
CVE-2020-24587 CSCvx61012 11.0(6)SR2 (Oct 2021)
CVE-2020-24588 CSCvx61012 11.0(6)SR2 (Oct 2021)
CVE-2020-26139 CSCvx61012 11.0(6)SR2 (Oct 2021)
CVE-2020-26140 CSCvx61012 11.0(6)SR2 (Oct 2021)
CVE-2020-26141 CSCvx61012 11.0(6)SR2 (Oct 2021)
CVE-2020-26142 CSCvx61012 11.0(6)SR2 (Oct 2021)
CVE-2020-26143 CSCvx61012 11.0(6)SR2 (Oct 2021)
CVE-2020-26144 CSCvx61012 11.0(6)SR2 (Oct 2021)
CVE-2020-26145 CSCvx61012 11.0(6)SR2 (Oct 2021)
CVE-2020-26146 CSCvx61012 11.0(6)SR2 (Oct 2021)
CVE-2020-26147 CSCvx61012 11.0(6)SR2 (Oct 2021)
Webex Desk Series and Webex Room Series
CVE-2020-24586 CSCvx89821 1.2(0)SR1 (Aug 2021)
CVE-2020-24587 CSCvx89821 1.2(0)SR1 (Aug 2021)
CVE-2020-24588 CSCvx89821 1.2(0)SR1 (Aug 2021)
CVE-2020-26139 CSCvx89821 1.2(0)SR1 (Aug 2021)
CVE-2020-26140 CSCvx89821 1.2(0)SR1 (Aug 2021)
CVE-2020-26141 CSCvx89821 1.2(0)SR1 (Aug 2021)
CVE-2020-26142 CSCvx89821 1.2(0)SR1 (Aug 2021)
CVE-2020-26143 CSCvx89821 1.2(0)SR1 (Aug 2021)
CVE-2020-26144 CSCvx89821 1.2(0)SR1 (Aug 2021)
CVE-2020-26145 CSCvx89821 1.2(0)SR1 (Aug 2021)
CVE-2020-26146 CSCvx89821 1.2(0)SR1 (Aug 2021)
CVE-2020-26147 CSCvx89821 1.2(0)SR1 (Aug 2021)
Webex Board Series
CVE-2020-24586 CSCvx61020 Release no. TBD
CVE-2020-24587 CSCvx61020 Release no. TBD
CVE-2020-24588 CSCvx61020 Release no. TBD
CVE-2020-26139 CSCvx61020 Release no. TBD
CVE-2020-26140 CSCvx61020 Release no. TBD
CVE-2020-26141 CSCvx61020 Release no. TBD
CVE-2020-26142 CSCvx61020 Release no. TBD
CVE-2020-26143 CSCvx61020 Release no. TBD
CVE-2020-26144 CSCvx61020 Release no. TBD
CVE-2020-26145 CSCvx61020 Release no. TBD
CVE-2020-26146 CSCvx61020 Release no. TBD
CVE-2020-26147 CSCvx61020 Release no. TBD
Webex Wireless Phone 840 and 860
CVE-2020-24586 CSCvx62886 Release no. TBD
CVE-2020-24587 CSCvx62886 Release no. TBD
CVE-2020-24588 CSCvx62886 Release no. TBD
CVE-2020-26139 CSCvx62886 Release no. TBD
CVE-2020-26140 CSCvx62886 Release no. TBD
CVE-2020-26141 CSCvx62886 Release no. TBD
CVE-2020-26142 CSCvx62886 Release no. TBD
CVE-2020-26143 CSCvx62886 Release no. TBD
CVE-2020-26144 CSCvx62886 Release no. TBD
CVE-2020-26145 CSCvx62886 Release no. TBD
CVE-2020-26146 CSCvx62886 Release no. TBD
CVE-2020-26147 CSCvx62886 Release no. TBD
Products Confirmed Not Vulnerable
Only products listed in the Vulnerable Products section of this advisory
are known to be affected by this vulnerability.
Details
o The vulnerabilities are not dependent on one another. Exploitation of one
of the vulnerabilities is not required to exploit another vulnerability. In
addition, a software release that is affected by one of the vulnerabilities
may not be affected by the other vulnerabilities.
For a description of the following vulnerabilities, see Fragment and Forge:
Breaking Wi-Fi Through Frame Aggregation and Fragmentation .
For additional information, see FragAttacks .
CVE-2020-26140: Accepting plaintext data frames in a protected network
Security Impact Rating (SIR): Medium
CVSS Base Score: 6.5
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2020-26143: Accepting fragmented plaintext data frames in a protected
network
Security Impact Rating (SIR): Medium
CVSS Base Score: 6.5
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an
RFC1042 header with EtherType EAPOL (in an encrypted network)
Security Impact Rating (SIR): Medium
CVSS Base Score: 6.5
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in
an encrypted network)
Security Impact Rating (SIR): Medium
CVSS Base Score: 6.5
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2020-24586: Not clearing fragments from memory when (re)connecting to a
network
Security Impact Rating (SIR): Medium
CVSS Base Score: 5.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2020-24588: Accepting non-SPP A-MSDU frames
Security Impact Rating (SIR): Medium
CVSS Base Score: 5.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet
authenticated
Security Impact Rating (SIR): Medium
CVSS Base Score: 5.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames
Security Impact Rating (SIR): Medium
CVSS Base Score: 5.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2020-26142: Processing fragmented frames as full frames
Security Impact Rating (SIR): Medium
CVSS Base Score: 5.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2020-24587: Reassembling fragments encrypted under different keys
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.8
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2020-26146: Reassembling encrypted fragments with non-consecutive
packet numbers
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.8
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments
Security Impact Rating (SIR): Medium
CVSS Base Score: 4.8
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Workarounds
o There are no workarounds that address these vulnerabilities.
Fixed Software
o For information about fixed software releases , consult the Cisco bugs
identified in the Vulnerable Products section of this advisory.
When considering software upgrades , customers are advised to regularly
consult the advisories for Cisco products, which are available from the
Cisco Security Advisories page , to determine exposure and a complete
upgrade solution.
In all cases, customers should ensure that the devices to be upgraded
contain sufficient memory and confirm that current hardware and software
configurations will continue to be supported properly by the new release.
If the information is not clear, customers are advised to contact the Cisco
Technical Assistance Center (TAC) or their contracted maintenance
providers.
Exploitation and Public Announcements
o The Cisco Product Security Incident Response Team (PSIRT) is aware that
proof-of-concept exploit code is available for the vulnerabilities that are
described in this advisory.
The Cisco PSIRT is not aware of any malicious use of the vulnerabilities
that are described in this advisory.
Source
o These vulnerabilities were reported to Cisco by Dr. Mathy Vanhoef of New
York University Abu Dhabi. Cisco would like to thank Dr. Vanhoef for his
continued help and support during the handling of these vulnerabilities.
Cisco Security Vulnerability Policy
o To learn about Cisco security vulnerability disclosure policies and
publications, see the Security Vulnerability Policy . This document also
contains instructions for obtaining fixed software and receiving security
vulnerability information from Cisco.
URL
o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu
Revision History
o +---------+--------------------------+------------+---------+-------------+
| Version | Description | Section | Status | Date |
+---------+--------------------------+------------+---------+-------------+
| | Updated fixed release | Vulnerable | | |
| 1.7 | details for multiple | Products | Interim | 2021-AUG-30 |
| | products. | | | |
+---------+--------------------------+------------+---------+-------------+
| | Added additional fixed | Vulnerable | | |
| 1.6 | releases for Meraki | Products | Interim | 2021-JUL-13 |
| | products. | | | |
+---------+--------------------------+------------+---------+-------------+
| 1.5 | Update affected | Vulnerable | Interim | 2021-JUN-02 |
| | products. | Products | | |
+---------+--------------------------+------------+---------+-------------+
| 1.4 | Added additional fixed | Vulnerable | Interim | 2021-MAY-19 |
| | releases. | Products | | |
+---------+--------------------------+------------+---------+-------------+
| 1.3 | Added additional | Vulnerable | Interim | 2021-MAY-17 |
| | affected products. | Products | | |
+---------+--------------------------+------------+---------+-------------+
| 1.2 | Added additional | Vulnerable | Interim | 2021-MAY-14 |
| | affected products. | Products | | |
+---------+--------------------------+------------+---------+-------------+
| 1.1 | Updated affected Meraki | Vulnerable | Interim | 2021-MAY-11 |
| | MR products. | Products | | |
+---------+--------------------------+------------+---------+-------------+
| 1.0 | Initial public release. | - | Interim | 2021-MAY-11 |
+---------+--------------------------+------------+---------+-------------+
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYS18ruNLKJtyKPYoAQiazw/5AXHzGTpMYxQINUkmA7WPaeS6jWTjL/hY
3cMoLmCkm9OHfGx9XzPCxmQrfEZewQJahYASqwdED86FHmi3PUH3RrKIYr12Ziw4
DaZms4wLbYsSAoJZpQwYnMtUBUF7OhpDF3tOi4iDMXqvuRDz41xTZ0pp5AZ7Rey0
gNeblhNoJC1k9q8Y/3xl3MqVjaxp0gCnQwWtpD+jQHbBPm5/fG93J39ppsHGFGX0
8l+U6scJdfEGJRruNg7Ah0ZEGWnG8IXA5SDIlok8mlxowfsfDNZjbCoUOKM12Cot
aBD5GwTKVVb5AMcUj61qL0A4B18rqZuudC29aLXlpWzD3zjlBeGi+vq1syAIpmOo
8T2XJJzOll66oHVrtny8O+hLledxcIPlP7m9gZmfs8HYtcau+t+cdhoVoJkLJ/Mp
Kg9ACoMtaKnOOSE+SyCNeh22jCLgNx67hIRBVH7tAGCH/azlvl2jnqfvAKYfS80t
F3KSF5VPWov11RCY108HZwdgeUn93wwnntau8fc5C63i+sRZD06jY3Yyu5dQkIDj
bNzA/YWwgM6tXTFJwkxgspDxrazGLT7WK7wJiWASD9QpZEc/X6ao3omAwuJOgL29
YQLn6bVFg7rNCvSp5+mM9ENUm3xMinvjG4z9GD7xfbAQVpts8JJfD8y7p55AsdWt
C3Lpswyzmms=
=PTDQ
-----END PGP SIGNATURE-----