Overview

On May 11, 2021, D-Link became aware of the public disclosure of "FragAttack", a collection of security vulnerabilities that affect Wi-Fi devices.

 
D-Link has investigated these reported security issues and if any D-Link Brand WiFi products are affected by these vulnerable.

The Industry Consortium for Advancement of Security on the Internet (ICASI) recently disclosed this collection of security vulnerabilities called FragAttacks (fragmentation and aggregation attacks) affecting Wi-Fi devices. Some vulnerabilities are widespread design flaws in the Wi-Fi standard or widespread programming mistakes in Wi-Fi products. Three of the reported vulnerabilities require additional actions by the attacker and receiver, including a man-in-the-middle attack to intercept the user’s wireless signal. As we investigate, D-Link understands, much of these attacks have dependances to attempt or are difficult to implement in a production environments.

The CVSS score for FragAttacks have been rated as medium severity.
 
D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. Please check the D-Link website for updates regularly.
 

Report

        - FragAttack Public Disclosure Website :: Link

        - https://www.wi-fi.org/security-update-fragmentation
        - https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/

Details: (Quoted directly from the Disclosure Website) 

         An overview of all assigned Common Vulnerabilities and Exposures (CVE) identifiers can be found on GitHub, and there is a list of known advisories from companies. Summarized, the design flaws were assigned the following CVEs:

• CVE-2020-24588: aggregation attack (accepting non-SPP A-MSDU frames).
• CVE-2020-24587: mixed key attack (reassembling fragments encrypted under different keys).
• CVE-2020-24586: fragment cache attack (not clearing fragments from memory when (re)connecting to a network).

         Implementation vulnerabilities that allow the trivial injection of plaintext frames in a protected Wi-Fi network are assigned the following CVEs:

• CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
• CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
• CVE-2020-26140: Accepting plaintext data frames in a protected network.
• CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.

        Other implementation flaws are assigned the following CVEs:

• CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
• CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
• CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
• CVE-2020-26142: Processing fragmented frames as full frames.
• CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
  

Affected Products

Regarding Security patch for your D-Link Devices

Meanwhile, as D-Link iinvestigates and determines which D-Link devices are potentially affected, we recommends that Wi-Fi device owners regularly check their devices are updated to the latest firmware. D-Link also always advise users to connect to HTTPS websites (Link), use strong, complex  credentials for computer access and WiFi connections. For further protection, we recommend using VPN service, Anti-Virus tools, and understand connecting to the internet should be done under Zero-Trust Guidelines (Link).

Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually, and we strongly recommend all users to install the relevant updates.

Please note that this is a device beta software, beta firmware, or hot-fix release, which is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an "as is" and "as available" basis, and the user assumes all risk and liability for use thereof. D-Link does not offer any warranties, whether express or implied, as to the beta firmware's suitability or usability. D-Link will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party due to their use of the beta firmware.

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can be found on the product label on the product's underside next to the serial number. Alternatively, the hardware revision can also be found on the device web configuration pages.