Cambium Networks

Wireless That Just Works

Search
×
Submit

2021.03 Fixed Wireless

CVE-2020-24588 CVE-2020-24587 CVE-2020-24586 CVE-2020-26146 CVE-2020-26145 CVE-2020-26141 CVE-2020-26140 CVE-2020-26143 CVE-2020-26147 CVE-2020-26139 CVE-2020-26144

This advisory applies to the following Cambium Networks fixed wireless product classes:

  • ePMP
  • PTP 550, 550e
  • cnVision
  • 60 GHz cnWave

Date: 19 May 2021

Last Update: 19 May 2021

Summary

Research paper, “Fragment and Forge:  Breaking Wi-Fi Through Frame Aggregation and Fragmentation” was published on May 11, 2021 at the website https://www.fragattacks.com.  The paper describes twelve vulnerabilities found in the 802.11 standard.

This advisory will be updated as new information is received.

Multiple Cambium Products are affected by these vulnerabilities.

Short Attack Description

The vulnerabilities are found in the 802.11 frame aggregation and fragmentation and are not mitigated by cryptography described in the WEP, WPA, WPA2 or WPA3 standards.  Other vulnerabilities cover specific implementation of the 802.11 standard.

The vulnerabilities could allow a malicious person (the attacker) to inject unencrypted frames in a network with security enabled. Once the malicious frame is accepted by the target, the attacker may then choose to implement any one of several known or unknown attacks.  The products described in this advisory use 802.11 framing but have specific implementations unique to Cambium Networks.  The vulnerable CVEs are listed below.

The research paper describes the possibility of a malicious DNS server, bypassing a NAT/firewall implemented on the access point, or extracting data sent from a client to an access point.  The paper also discusses the risk level associated with each attack vector by describing the impact and preconditions that should exist for each discovered vulnerability.  See https://papers.mathyvanhoef.com/fragattacks-overview.pdf for an overview.

Affected Products and Target Fix

The following products are vulnerable to CVE-2020-24588 CVE-2020-24587 CVE-2020-24586 CVE-2020-26146 CVE-2020-26145 CVE-2020-26141 CVE-2020-26140 CVE-2020-26143 CVE-2020-26147 CVE-2020-26139 CVE-2020-26144

These products are not vulnerable to CVE-2020-26142

Category Models Targeted Fix 
ePMP ePMP 1000, ePMP 2000, ePMP 3000, Force 100/110/130/180/190/200/300/400/425 Elevateunder evaluation
PTP PTP 550  PTP 550E under evaluation
cnVisionAll modelsunder evaluation

The following products are under evaluation.

Category Models Targeted Fix 
60 GHz cnWaveV1000  V3000  V5000 under evaluation

Fixed in Software

No firmware fixes are available at the time of this update.  See the matrix above for the targeted fix timeline.

Mitigations

At the time of this update, there are no specific configurations that will mitigate the discovered vulnerabilities.

Contact Get Quote