CVE-2020-24587: 
vulnerability analysis and mitigation

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) contains a design flaw where fragments of a frame are not required to be encrypted under the same key. This vulnerability (CVE-2020-24587) was discovered by Mathy Vanhoef and disclosed on May 11, 2021. The flaw affects the frame fragmentation feature of Wi-Fi and impacts most Wi-Fi devices using WEP, WPA, WPA2, or WPA3 security protocols (FragAttacks, USENIX Paper).

When Wi-Fi devices reassemble fragmented packets, they do not verify that all fragments were encrypted using the same key. An adversary can abuse this vulnerability to decrypt selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP encryption key is periodically renewed. The vulnerability received a CVSS v3.1 Base Score of 2.6 (Low) with vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N (NVD).

An attacker within range of a Wi-Fi network could potentially exploit this vulnerability to exfiltrate selected fragments of data when specific conditions are met: the target must be sending fragmented frames and the network must be using periodic key renewal. The impact is considered theoretical since these conditions are rare in practice (FragAttacks).

The vulnerability can be fixed in a backwards-compatible manner by only reassembling fragments that were decrypted using the same key. Users are advised to ensure their devices have the latest security updates installed. For unpatched devices, attacks can be partially mitigated by disabling fragmentation, disabling pairwise rekeys, and disabling dynamic fragmentation in Wi-Fi 6 (802.11ax) devices (FragAttacks).

The disclosure was coordinated through the Wi-Fi Alliance and ICASI over a 9-month period to allow vendors time to develop patches. Major vendors like Intel, Cisco, and Arista have released security advisories and patches for their affected products (Intel Advisory, Cisco Advisory, Arista Advisory).