2021.03 Fixed Wireless
CVE-2020-24588 CVE-2020-24587 CVE-2020-24586 CVE-2020-26146 CVE-2020-26145 CVE-2020-26141 CVE-2020-26140 CVE-2020-26143 CVE-2020-26147 CVE-2020-26139 CVE-2020-26144
This advisory applies to the following Cambium Networks fixed wireless product classes:
- ePMP
- PTP 550, 550e
- cnVision
- 60 GHz cnWave
Date: 19 May 2021
Last Update: 19 May 2021
Summary
Research paper, “Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation” was published on May 11, 2021 at the website https://www.fragattacks.com. The paper describes twelve vulnerabilities found in the 802.11 standard.
This advisory will be updated as new information is received.
Multiple Cambium Products are affected by these vulnerabilities.
Short Attack Description
The vulnerabilities are found in the 802.11 frame aggregation and fragmentation and are not mitigated by cryptography described in the WEP, WPA, WPA2 or WPA3 standards. Other vulnerabilities cover specific implementation of the 802.11 standard.
The vulnerabilities could allow a malicious person (the attacker) to inject unencrypted frames in a network with security enabled. Once the malicious frame is accepted by the target, the attacker may then choose to implement any one of several known or unknown attacks. The products described in this advisory use 802.11 framing but have specific implementations unique to Cambium Networks. The vulnerable CVEs are listed below.
The research paper describes the possibility of a malicious DNS server, bypassing a NAT/firewall implemented on the access point, or extracting data sent from a client to an access point. The paper also discusses the risk level associated with each attack vector by describing the impact and preconditions that should exist for each discovered vulnerability. See https://papers.mathyvanhoef.com/fragattacks-overview.pdf for an overview.
Affected Products and Target Fix
The following products are vulnerable to CVE-2020-24588 CVE-2020-24587 CVE-2020-24586 CVE-2020-26146 CVE-2020-26145 CVE-2020-26141 CVE-2020-26140 CVE-2020-26143 CVE-2020-26147 CVE-2020-26139 CVE-2020-26144
These products are not vulnerable to CVE-2020-26142
| Category | Models | Targeted Fix |
| ePMP | ePMP 1000, ePMP 2000, ePMP 3000, Force 100/110/130/180/190/200/300/400/425 Elevate | under evaluation |
| PTP | PTP 550 PTP 550E | under evaluation |
| cnVision | All models | under evaluation |
The following products are under evaluation.
| Category | Models | Targeted Fix |
| 60 GHz cnWave | V1000 V3000 V5000 | under evaluation |
Fixed in Software
No firmware fixes are available at the time of this update. See the matrix above for the targeted fix timeline.
Mitigations
At the time of this update, there are no specific configurations that will mitigate the discovered vulnerabilities.