Security / vulnerability advisories for Arista C-230 Firmware

Description

An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.

Damage

• Complete loss of protection.

Attack conditions

• Attacking requires physical proximity to the network and can be done by anyone (requires no authentication).
• No user interaction is required.

Type of bug(s)

• CWE-20, Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

• https://www.fragattacks.com
• https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md
• http://www.openwall.com/lists/oss-security/2021/05/11/12
• https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu
• https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63

Description

An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.

Damage

• Complete loss of protection.

Attack conditions

• Attacking requires physical proximity to the network and can be done by anyone (requires no authentication).
• No user interaction is required.
• The attack is estimated to have a high success rate, once attempted.

Type of bug(s)

• CWE-20, Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

• https://www.fragattacks.com
• https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md
• http://www.openwall.com/lists/oss-security/2021/05/11/12
• https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu
• https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63

Description

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that received fragments be cleared from memory after (re)connecting to a network. Under the right circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this can be abused to inject arbitrary network packets and/or exfiltrate user data.

Damage

• Limited access to information.

Attack conditions

• Attacking requires physical proximity to the network and can be done by anyone (requires no authentication).
• Human user action interaction is required for the attack.
• The attack is estimated to have a high success rate, once attempted.

References

• https://www.fragattacks.com
• https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md
• http://www.openwall.com/lists/oss-security/2021/05/11/12
• https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html
• https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu
• https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html
• https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63