2021.02 Wi-Fi Access Points

CVE-2020-24588 CVE-2020-24587 CVE-2020-24586 CVE-2020-26146 CVE-2020-26145 CVE-2020-26141 CVE-2020-26140 CVE-2020-26143 CVE-2020-26147 CVE-2020-26139 CVE-2020-26144 CVE-2020-26142

This advisory applies to the following Cambium Networks Wi-Fi product classes:

  • Enterprise Wi-Fi 6
  • cnPilot Indoor 802.11ac
  • cnPilot Outdoor 802.11ac
  • Xirrus 802.11n, 802.11ac
  • Xirrus FIPS models
  • ePMP Hotspot 1000
  • Residential 802.11, 802.11ac

Date: 19 May 2021

Last Update: 19 May 2021

Summary:

Research paper, “Fragment and Forge:  Breaking Wi-Fi Through Frame Aggregation and Fragmentation” was published on May 11, 2021 at the website https://www.fragattacks.com.  The paper describes twelve vulnerabilities found in the 802.11 standard.

This advisory will be updated as new information is received.

Multiple Cambium Products are affected by these vulnerabilities.

Short Attack Description

The vulnerabilities are found in the 802.11 frame aggregation and fragmentation and are not mitigated by cryptography described in the WEP, WPA, WPA2 or WPA3 standards.  Other vulnerabilities cover specific implementation of the 802.11 standard.

The vulnerabilities could allow a malicious person (the attacker) to inject unencrypted frames in a network with security enabled. Once the malicious frame is accepted by the target, the attacker may then choose to implement any one of several known or unknown attacks.

The research paper describes the possibility of a malicious DNS server, bypassing a NAT/firewall implemented on the access point, or exfiltratingdata sent from a client to an access point.  The paper also discusses the risk level associated with each attack vector by describing the impact and preconditions that should exist for each discovered vulnerability.  See https://papers.mathyvanhoef.com/fragattacks-overview.pdf for an overview.

Affected Products and Target Fix

The following products are vulnerable to CVE-2020-24588 CVE-2020-24587 CVE-2020-24586 CVE-2020-26146 CVE-2020-26145 CVE-2020-26141 CVE-2020-26140 CVE-2020-26143 CVE-2020-26147 CVE-2020-26139 CVE-2020-26144

These products are not vulnerable to CVE-2020-26142

Category Models Targeted Fix Firmware ver
Enterprise Wi-Fi 6 XV2-2  XV3-8 June/July 20216.3.5
cnPilot Enterprise, Indoor and Outdoore500 501S 502S e425H e430H e430W e410 e600 e505 e510 e700June/July 20214.2.1
ePMP 1000 hotspot ePMP 1000 hotspot Under evaluationUnder evaluation
Xirrus Wi-Fi AOSXD4-130 XH2-120   XR-620 XR-630  XR-4826 XR-2226 XR-2426 XR-4426 XR-4436 XR-4836 XR-2426-K XR-2436-K  XR-2236 XR-2436  XR-520 XR-2430 XR-4420 XR-4430 XR-4820 XR-4830 XR-520HUnder evaluationUnder evaluation
Xirrus Wi-Fi AOSLiteX2-120 XR-320Under evaluationUnder evaluation
Xirrus Wi-Fi AOS FIPS models XR-2436-FIPS XR-4836-FIPS XR-630-FIPS Under evaluationUnder evaluation

The following products are vulnerable to CVE-2020-24586, CVE-2020-24587 and CVE-2020-24588.

These products are not vulnerable to CVE-2020-26146 CVE-2020-26145 CVE-2020-26141 CVE-2020-26140 CVE-2020-26143 CVE-2020-26147 CVE-2020-26139 CVE-2020-26144 CVE-2020-26142

Category Models Targeted Fix Firmware ver
Xirrus Wi-Fi AOSXD2-230 XD2-240 XD4-240 XA4-240 XH2-240 XR-2247 XR-2447 XR-4447 XR-4847Under evaluationUnder evaluation

The following products are under evaluation.

Category Models Targeted Fix Firmware ver
Residential RouterR190, r200, r201, r195Under evaluationUnder evaluation

Fixed in Software

No firmware fixes are available at the time of this update.  See the matrix above for the targeted fix timeline.

Mitigations

At the time of this update, there are no specific configurations that will mitigate discovered vulnerabilities.

Contact