CVE-2020-26146
kernel: reassembling encrypted fragments with non-consecutive packet numbers
Severity Score
5.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.
Se detectó un problema en los dispositivos Samsung Galaxy S3 i9305 versión 4.4.4. Las implementaciones de WPA, WPA2 y WPA3 reensamblan fragmentos con números de paquete no consecutivos. Un adversario puede abusar de esto para exfiltrar fragmentos seleccionados. Esta vulnerabilidad es explotable cuando otro dispositivo envía tramas fragmentadas y el protocolo de confidencialidad de datos WEP, CCMP o GCMP es usado. Tenga en cuenta que WEP es vulnerable a este ataque por diseño
A vulnerability was found in Linux kernel, where the WiFi implementation reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-09-29 CVE Reserved
- 2021-05-11 CVE Published
- 2024-07-12 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-307: Improper Restriction of Excessive Authentication Attempts
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2021/05/11/12 | Mailing List |
|
| https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf | Third Party Advisory |
|
| https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md | Third Party Advisory | |
| https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63 | Third Party Advisory | |
| https://www.fragattacks.com | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Samsung Search vendor "Samsung" | Galaxy I9305 Firmware Search vendor "Samsung" for product "Galaxy I9305 Firmware" | 4.4.4 Search vendor "Samsung" for product "Galaxy I9305 Firmware" and version "4.4.4" | - |
Affected
| in | Samsung Search vendor "Samsung" | Galaxy I9305 Search vendor "Samsung" for product "Galaxy I9305" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-250 Firmware Search vendor "Arista" for product "C-250 Firmware" | < 10.0.1-31 Search vendor "Arista" for product "C-250 Firmware" and version " < 10.0.1-31" | - |
Affected
| in | Arista Search vendor "Arista" | C-250 Search vendor "Arista" for product "C-250" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-260 Firmware Search vendor "Arista" for product "C-260 Firmware" | < 10.0.1-31 Search vendor "Arista" for product "C-260 Firmware" and version " < 10.0.1-31" | - |
Affected
| in | Arista Search vendor "Arista" | C-260 Search vendor "Arista" for product "C-260" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-230 Firmware Search vendor "Arista" for product "C-230 Firmware" | < 10.0.1-31 Search vendor "Arista" for product "C-230 Firmware" and version " < 10.0.1-31" | - |
Affected
| in | Arista Search vendor "Arista" | C-230 Search vendor "Arista" for product "C-230" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-235 Firmware Search vendor "Arista" for product "C-235 Firmware" | < 10.0.1-31 Search vendor "Arista" for product "C-235 Firmware" and version " < 10.0.1-31" | - |
Affected
| in | Arista Search vendor "Arista" | C-235 Search vendor "Arista" for product "C-235" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-200 Firmware Search vendor "Arista" for product "C-200 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "C-200 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | C-200 Search vendor "Arista" for product "C-200" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-120 Firmware Search vendor "Arista" for product "C-120 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "C-120 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | C-120 Search vendor "Arista" for product "C-120" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-130 Firmware Search vendor "Arista" for product "C-130 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "C-130 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | C-130 Search vendor "Arista" for product "C-130" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-100 Firmware Search vendor "Arista" for product "C-100 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "C-100 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | C-100 Search vendor "Arista" for product "C-100" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-110 Firmware Search vendor "Arista" for product "C-110 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "C-110 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | C-110 Search vendor "Arista" for product "C-110" | - | - |
Safe
|
| Arista Search vendor "Arista" | O-105 Firmware Search vendor "Arista" for product "O-105 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "O-105 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | O-105 Search vendor "Arista" for product "O-105" | - | - |
Safe
|
| Arista Search vendor "Arista" | W-118 Firmware Search vendor "Arista" for product "W-118 Firmware" | < 11.0.0-36 Search vendor "Arista" for product "W-118 Firmware" and version " < 11.0.0-36" | - |
Affected
| in | Arista Search vendor "Arista" | W-118 Search vendor "Arista" for product "W-118" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-75 Firmware Search vendor "Arista" for product "C-75 Firmware" | - | - |
Affected
| in | Arista Search vendor "Arista" | C-75 Search vendor "Arista" for product "C-75" | - | - |
Safe
|
| Arista Search vendor "Arista" | O-90 Firmware Search vendor "Arista" for product "O-90 Firmware" | - | - |
Affected
| in | Arista Search vendor "Arista" | O-90 Search vendor "Arista" for product "O-90" | - | - |
Safe
|
| Arista Search vendor "Arista" | C-65 Firmware Search vendor "Arista" for product "C-65 Firmware" | - | - |
Affected
| in | Arista Search vendor "Arista" | C-65 Search vendor "Arista" for product "C-65" | - | - |
Safe
|
| Arista Search vendor "Arista" | W-68 Firmware Search vendor "Arista" for product "W-68 Firmware" | - | - |
Affected
| in | Arista Search vendor "Arista" | W-68 Search vendor "Arista" for product "W-68" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | Scalance W700 Ieee 802.11n Firmware Search vendor "Siemens" for product "Scalance W700 Ieee 802.11n Firmware" | * | - |
Affected
| in | Siemens Search vendor "Siemens" | Scalance W700 Ieee 802.11n Search vendor "Siemens" for product "Scalance W700 Ieee 802.11n" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | Scalance W1700 Ieee 802.11ac Firmware Search vendor "Siemens" for product "Scalance W1700 Ieee 802.11ac Firmware" | * | - |
Affected
| in | Siemens Search vendor "Siemens" | Scalance W1700 Ieee 802.11ac Search vendor "Siemens" for product "Scalance W1700 Ieee 802.11ac" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | Scalance W1750d Firmware Search vendor "Siemens" for product "Scalance W1750d Firmware" | < 8.7.1.3 Search vendor "Siemens" for product "Scalance W1750d Firmware" and version " < 8.7.1.3" | - |
Affected
| in | Siemens Search vendor "Siemens" | Scalance W1750d Search vendor "Siemens" for product "Scalance W1750d" | - | - |
Safe
|