CVE-2020-26143

kernel: accepting fragmented plaintext frames in protected networks

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.

Se detectó un problema en el controlador ALFA Windows 10 versión 1030.36.604 para AWUS036ACH. Las implementaciones WEP, WPA, WPA2 y WPA3 aceptan tramas de texto plano fragmentados en una red Wi-Fi protegida. Un adversario puede abusar de esto para inyectar tramas de datos arbitrarias independientes de la configuración de la red

A vulnerability was found in Linux kernel, where the WiFi implementations assemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.

*Credits: N/A

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Adjacent

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-09-29 CVE Reserved
2021-05-11 CVE Published
2024-07-12 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-346: Origin Validation Error

CAPEC

References (8)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2021/05/11/12	Mailing List
https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf	Third Party Advisory
https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md	Third Party Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63	Third Party Advisory
https://www.fragattacks.com	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu	2021-12-03
https://access.redhat.com/security/cve/CVE-2020-26143	2021-11-09
https://bugzilla.redhat.com/show_bug.cgi?id=1960496	2021-11-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Alfa Search vendor "Alfa"	Awus036h Firmware Search vendor "Alfa" for product "Awus036h Firmware"	1030.36.604 Search vendor "Alfa" for product "Awus036h Firmware" and version "1030.36.604"	windows_10	Affected	in	Alfa Search vendor "Alfa"	Awus036h Search vendor "Alfa" for product "Awus036h"	-	-	Safe
Arista Search vendor "Arista"	C-75 Firmware Search vendor "Arista" for product "C-75 Firmware"	-	-	Affected	in	Arista Search vendor "Arista"	C-75 Search vendor "Arista" for product "C-75"	-	-	Safe
Arista Search vendor "Arista"	O-90 Firmware Search vendor "Arista" for product "O-90 Firmware"	-	-	Affected	in	Arista Search vendor "Arista"	O-90 Search vendor "Arista" for product "O-90"	-	-	Safe
Arista Search vendor "Arista"	C-65 Firmware Search vendor "Arista" for product "C-65 Firmware"	-	-	Affected	in	Arista Search vendor "Arista"	C-65 Search vendor "Arista" for product "C-65"	-	-	Safe
Arista Search vendor "Arista"	W-68 Firmware Search vendor "Arista" for product "W-68 Firmware"	-	-	Affected	in	Arista Search vendor "Arista"	W-68 Search vendor "Arista" for product "W-68"	-	-	Safe
Siemens Search vendor "Siemens"	Scalance W700 Ieee 802.11n Firmware Search vendor "Siemens" for product "Scalance W700 Ieee 802.11n Firmware"	*	-	Affected	in	Siemens Search vendor "Siemens"	Scalance W700 Ieee 802.11n Search vendor "Siemens" for product "Scalance W700 Ieee 802.11n"	-	-	Safe