CVE-2020-26144
kernel: accepting unencrypted A-MSDU frames that start with RFC1042 header
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
Se detectó un problema en los dispositivos Samsung Galaxy S3 i9305 versión 4.4.4. Las implementaciones WEP, WPA, WPA2 y WPA3 aceptan tramas A-MSDU de texto plano siempre que los primeros 8 bytes correspondan a un encabezado RFC1042 válido (es decir, LLC/SNAP) para EAPOL. Un adversario puede abusar de esto para inyectar paquetes de red arbitrarios independientemente de la configuración de la red
A flaw was found in the Linux kernel, where the WiFi implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (ex., LLC/SNAP) header for EAPOL. The highest threat from this vulnerability is to integrity.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-09-29 CVE Reserved
- 2021-05-11 CVE Published
- 2024-07-12 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-290: Authentication Bypass by Spoofing
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2021/05/11/12 | Mailing List |
|
| https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf | Third Party Advisory |
|
| https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md | Third Party Advisory | |
| https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63 | Third Party Advisory | |
| https://www.fragattacks.com | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Samsung Search vendor "Samsung" | Galaxy I9305 Firmware Search vendor "Samsung" for product "Galaxy I9305 Firmware" | 4.4.4 Search vendor "Samsung" for product "Galaxy I9305 Firmware" and version "4.4.4" | - |
Affected
| in | Samsung Search vendor "Samsung" | Galaxy I9305 Search vendor "Samsung" for product "Galaxy I9305" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-250 Firmware Search vendor "Arista" for product "C-250 Firmware" | < 10.0.1-31 Search vendor "Arista" for product "C-250 Firmware" and version " < 10.0.1-31" | - |
Affected
| in | Arista Search vendor "Arista" | C-250 Search vendor "Arista" for product "C-250" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-260 Firmware Search vendor "Arista" for product "C-260 Firmware" | < 10.0.1-31 Search vendor "Arista" for product "C-260 Firmware" and version " < 10.0.1-31" | - |
Affected
| in | Arista Search vendor "Arista" | C-260 Search vendor "Arista" for product "C-260" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-230 Firmware Search vendor "Arista" for product "C-230 Firmware" | < 10.0.1-31 Search vendor "Arista" for product "C-230 Firmware" and version " < 10.0.1-31" | - |
Affected
| in | Arista Search vendor "Arista" | C-230 Search vendor "Arista" for product "C-230" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-235 Firmware Search vendor "Arista" for product "C-235 Firmware" | < 10.0.1-31 Search vendor "Arista" for product "C-235 Firmware" and version " < 10.0.1-31" | - |
Affected
| in | Arista Search vendor "Arista" | C-235 Search vendor "Arista" for product "C-235" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-200 Firmware Search vendor "Arista" for product "C-200 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "C-200 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | C-200 Search vendor "Arista" for product "C-200" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-120 Firmware Search vendor "Arista" for product "C-120 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "C-120 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | C-120 Search vendor "Arista" for product "C-120" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-130 Firmware Search vendor "Arista" for product "C-130 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "C-130 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | C-130 Search vendor "Arista" for product "C-130" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-100 Firmware Search vendor "Arista" for product "C-100 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "C-100 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | C-100 Search vendor "Arista" for product "C-100" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-110 Firmware Search vendor "Arista" for product "C-110 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "C-110 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | C-110 Search vendor "Arista" for product "C-110" | - | - |
Safe
|
| Arista Search vendor "Arista" | O-105 Firmware Search vendor "Arista" for product "O-105 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "O-105 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | O-105 Search vendor "Arista" for product "O-105" | - | - |
Safe
|
| Arista Search vendor "Arista" | W-118 Firmware Search vendor "Arista" for product "W-118 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "W-118 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | W-118 Search vendor "Arista" for product "W-118" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-75 Firmware Search vendor "Arista" for product "C-75 Firmware" | - | - |
Affected
| in | Arista Search vendor "Arista" | C-75 Search vendor "Arista" for product "C-75" | - | - |
Safe
|
| Arista Search vendor "Arista" | O-90 Firmware Search vendor "Arista" for product "O-90 Firmware" | - | - |
Affected
| in | Arista Search vendor "Arista" | O-90 Search vendor "Arista" for product "O-90" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-65 Firmware Search vendor "Arista" for product "C-65 Firmware" | - | - |
Affected
| in | Arista Search vendor "Arista" | C-65 Search vendor "Arista" for product "C-65" | - | - |
Safe
|
| Arista Search vendor "Arista" | W-68 Firmware Search vendor "Arista" for product "W-68 Firmware" | - | - |
Affected
| in | Arista Search vendor "Arista" | W-68 Search vendor "Arista" for product "W-68" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | Scalance W700 Ieee 802.11ax Firmware Search vendor "Siemens" for product "Scalance W700 Ieee 802.11ax Firmware" | * | - |
Affected
| in | Siemens Search vendor "Siemens" | Scalance W700 Ieee 802.11ax Search vendor "Siemens" for product "Scalance W700 Ieee 802.11ax" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | Scalance W700 Ieee 802.11n Firmware Search vendor "Siemens" for product "Scalance W700 Ieee 802.11n Firmware" | * | - |
Affected
| in | Siemens Search vendor "Siemens" | Scalance W700 Ieee 802.11n Search vendor "Siemens" for product "Scalance W700 Ieee 802.11n" | - | - |
Safe
|