CVE-2020-26145
kernel: accepting plaintext broadcast fragments as full frames
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
Se detectó un problema en los dispositivos Samsung Galaxy S3 i9305 versión 4.4.4. Las implementaciones de WEP, WPA, WPA2 y WPA3 aceptan segundos fragmentos de transmisión (o posteriores) incluso cuando se envían en texto plano y los procesan como tramas completas no fragmentados. Un adversario puede abusar de esto para inyectar paquetes de red arbitrarios independientemente de la configuración de la red
A flaw was found in ath10k_htt_rx_proc_rx_frag_ind_hl in drivers/net/wireless/ath/ath10k/htt_rx.c in the Linux kernel WiFi implementations, where it accepts a second (or subsequent) broadcast fragments even when sent in plaintext and then process them as full unfragmented frames. The highest threat from this vulnerability is to integrity.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-09-29 CVE Reserved
- 2021-05-11 CVE Published
- 2024-01-25 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-307: Improper Restriction of Excessive Authentication Attempts
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2021/05/11/12 | Mailing List |
|
| https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md | Third Party Advisory | |
| https://www.fragattacks.com | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf | 2022-05-13 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2020-26145 | 2021-11-09 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1960500 | 2021-11-09 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Samsung Search vendor "Samsung" | Galaxy I9305 Firmware Search vendor "Samsung" for product "Galaxy I9305 Firmware" | 4.4.4 Search vendor "Samsung" for product "Galaxy I9305 Firmware" and version "4.4.4" | - |
Affected
| in | Samsung Search vendor "Samsung" | Galaxy I9305 Search vendor "Samsung" for product "Galaxy I9305" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | 6gk5763-1al00-7da0 Firmware Search vendor "Siemens" for product "6gk5763-1al00-7da0 Firmware" | < 1.2 Search vendor "Siemens" for product "6gk5763-1al00-7da0 Firmware" and version " < 1.2" | - |
Affected
| in | Siemens Search vendor "Siemens" | 6gk5763-1al00-7da0 Search vendor "Siemens" for product "6gk5763-1al00-7da0" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | 6gk5766-1ge00-7da0 Firmware Search vendor "Siemens" for product "6gk5766-1ge00-7da0 Firmware" | < 1.2 Search vendor "Siemens" for product "6gk5766-1ge00-7da0 Firmware" and version " < 1.2" | - |
Affected
| in | Siemens Search vendor "Siemens" | 6gk5766-1ge00-7da0 Search vendor "Siemens" for product "6gk5766-1ge00-7da0" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | 6gk5766-1ge00-7db0 Firmware Search vendor "Siemens" for product "6gk5766-1ge00-7db0 Firmware" | < 1.2 Search vendor "Siemens" for product "6gk5766-1ge00-7db0 Firmware" and version " < 1.2" | - |
Affected
| in | Siemens Search vendor "Siemens" | 6gk5766-1ge00-7db0 Search vendor "Siemens" for product "6gk5766-1ge00-7db0" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | 6gk5766-1je00-7da0 Firmware Search vendor "Siemens" for product "6gk5766-1je00-7da0 Firmware" | < 1.2 Search vendor "Siemens" for product "6gk5766-1je00-7da0 Firmware" and version " < 1.2" | - |
Affected
| in | Siemens Search vendor "Siemens" | 6gk5766-1je00-7da0 Search vendor "Siemens" for product "6gk5766-1je00-7da0" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | 6gk5766-1ge00-7ta0 Firmware Search vendor "Siemens" for product "6gk5766-1ge00-7ta0 Firmware" | < 1.2 Search vendor "Siemens" for product "6gk5766-1ge00-7ta0 Firmware" and version " < 1.2" | - |
Affected
| in | Siemens Search vendor "Siemens" | 6gk5766-1ge00-7ta0 Search vendor "Siemens" for product "6gk5766-1ge00-7ta0" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | 6gk5766-1ge00-7tb0 Firmware Search vendor "Siemens" for product "6gk5766-1ge00-7tb0 Firmware" | < 1.2 Search vendor "Siemens" for product "6gk5766-1ge00-7tb0 Firmware" and version " < 1.2" | - |
Affected
| in | Siemens Search vendor "Siemens" | 6gk5766-1ge00-7tb0 Search vendor "Siemens" for product "6gk5766-1ge00-7tb0" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | 6gk5766-1je00-7ta0 Firmware Search vendor "Siemens" for product "6gk5766-1je00-7ta0 Firmware" | < 1.2 Search vendor "Siemens" for product "6gk5766-1je00-7ta0 Firmware" and version " < 1.2" | - |
Affected
| in | Siemens Search vendor "Siemens" | 6gk5766-1je00-7ta0 Search vendor "Siemens" for product "6gk5766-1je00-7ta0" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | 6gk5763-1al00-3aa0 Firmware Search vendor "Siemens" for product "6gk5763-1al00-3aa0 Firmware" | < 1.2 Search vendor "Siemens" for product "6gk5763-1al00-3aa0 Firmware" and version " < 1.2" | - |
Affected
| in | Siemens Search vendor "Siemens" | 6gk5763-1al00-3aa0 Search vendor "Siemens" for product "6gk5763-1al00-3aa0" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | 6gk5763-1al00-3da0 Firmware Search vendor "Siemens" for product "6gk5763-1al00-3da0 Firmware" | < 1.2 Search vendor "Siemens" for product "6gk5763-1al00-3da0 Firmware" and version " < 1.2" | - |
Affected
| in | Siemens Search vendor "Siemens" | 6gk5763-1al00-3da0 Search vendor "Siemens" for product "6gk5763-1al00-3da0" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | 6gk5766-1ge00-3da0 Firmware Search vendor "Siemens" for product "6gk5766-1ge00-3da0 Firmware" | < 1.2 Search vendor "Siemens" for product "6gk5766-1ge00-3da0 Firmware" and version " < 1.2" | - |
Affected
| in | Siemens Search vendor "Siemens" | 6gk5766-1ge00-3da0 Search vendor "Siemens" for product "6gk5766-1ge00-3da0" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | 6gk5766-1ge00-3db0 Firmware Search vendor "Siemens" for product "6gk5766-1ge00-3db0 Firmware" | < 1.2 Search vendor "Siemens" for product "6gk5766-1ge00-3db0 Firmware" and version " < 1.2" | - |
Affected
| in | Siemens Search vendor "Siemens" | 6gk5766-1ge00-3db0 Search vendor "Siemens" for product "6gk5766-1ge00-3db0" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | 6gk5766-1je00-3da0 Firmware Search vendor "Siemens" for product "6gk5766-1je00-3da0 Firmware" | < 1.2 Search vendor "Siemens" for product "6gk5766-1je00-3da0 Firmware" and version " < 1.2" | - |
Affected
| in | Siemens Search vendor "Siemens" | 6gk5766-1je00-3da0 Search vendor "Siemens" for product "6gk5766-1je00-3da0" | - | - |
Safe
|