Vulnerability Name:

CVE-2020-26146 (CCN-201635)

Assigned:2020-09-29
Published:2021-05-11
Updated:2021-12-06
Summary:An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note that WEP is vulnerable to this attack by design.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Adjacent
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)
4.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Adjacent
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
5.3 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
4.6 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Adjacent
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:2.9 Low (CVSS v2 Vector: AV:A/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Adjacent_Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:A/AC:H/Au:S/C:N/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Adjacent_Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-20
CWE-307
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2020-26146

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20210511 various 802.11 security issues - fragattacks.com

Source: CONFIRM
Type: Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf

Source: XF
Type: UNKNOWN
cisco-cve202026146-sec-bypass(201635)

Source: MISC
Type: Third Party Advisory
https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md

Source: CCN
Type: Cisco Security Advisory cisco-sa-wifi-faf-22epcEWu
Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021

Source: CISCO
Type: Third Party Advisory
20210511 Multiple Vulnerabilities in Frame Aggregation and Fragmentation Implementations of 802.11 Specification Affecting Cisco Products: May 2021

Source: MISC
Type: Third Party Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63

Source: MISC
Type: Third Party Advisory
https://www.fragattacks.com

Vulnerable Configuration:Configuration 1:
  • cpe:/o:samsung:galaxy_i9305_firmware:4.4.4:*:*:*:*:*:*:*
  • AND
  • cpe:/h:samsung:galaxy_i9305:-:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:arista:c-250_firmware:*:*:*:*:*:*:*:* (Version < 10.0.1-31)
  • AND
  • cpe:/h:arista:c-250:-:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:arista:c-260_firmware:*:*:*:*:*:*:*:* (Version < 10.0.1-31)
  • AND
  • cpe:/h:arista:c-260:-:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/o:arista:c-230_firmware:*:*:*:*:*:*:*:* (Version < 10.0.1-31)
  • AND
  • cpe:/h:arista:c-230:-:*:*:*:*:*:*:*

    • Configuration 5:
  • cpe:/o:arista:c-235_firmware:*:*:*:*:*:*:*:* (Version < 10.0.1-31)
  • AND
  • cpe:/h:arista:c-235:-:*:*:*:*:*:*:*

    • Configuration 6:
  • cpe:/o:arista:c-200_firmware:*:*:*:*:*:*:*:* (Version < 11.0.0-36)
  • AND
  • cpe:/h:arista:c-200:-:*:*:*:*:*:*:*

    • Configuration 7:
  • cpe:/o:arista:c-120_firmware:*:*:*:*:*:*:*:* (Version < 11.0.0-36)
  • AND
  • cpe:/h:arista:c-120:-:*:*:*:*:*:*:*

    • Configuration 8:
  • cpe:/o:arista:c-130_firmware:*:*:*:*:*:*:*:* (Version < 11.0.0-36)
  • AND
  • cpe:/h:arista:c-130:-:*:*:*:*:*:*:*

    • Configuration 9:
  • cpe:/o:arista:c-100_firmware:*:*:*:*:*:*:*:* (Version < 11.0.0-36)
  • AND
  • cpe:/h:arista:c-100:-:*:*:*:*:*:*:*

    • Configuration 10:
  • cpe:/o:arista:c-110_firmware:*:*:*:*:*:*:*:* (Version < 11.0.0-36)
  • AND
  • cpe:/h:arista:c-110:-:*:*:*:*:*:*:*

    • Configuration 11:
  • cpe:/o:arista:o-105_firmware:*:*:*:*:*:*:*:* (Version < 11.0.0-36)
  • AND
  • cpe:/h:arista:o-105:-:*:*:*:*:*:*:*

    • Configuration 12:
  • cpe:/o:arista:w-118_firmware:*:*:*:*:*:*:*:* (Version < 11.0.0-36)
  • AND
  • cpe:/h:arista:w-118:-:*:*:*:*:*:*:*

    • Configuration 13:
  • cpe:/o:arista:c-75_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:arista:c-75:-:*:*:*:*:*:*:*

    • Configuration 14:
  • cpe:/o:arista:o-90_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:arista:o-90:-:*:*:*:*:*:*:*

    • Configuration 15:
  • cpe:/o:arista:c-65_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:arista:c-65:-:*:*:*:*:*:*:*

    • Configuration 16:
  • cpe:/o:arista:w-68_firmware:-:*:*:*:*:*:*:*
  • AND
  • cpe:/h:arista:w-68:-:*:*:*:*:*:*:*

    • Configuration 17:
  • cpe:/o:siemens:scalance_w700_ieee_802.11n_firmware:*:*:*:*:*:*:*:*
  • AND
  • cpe:/h:siemens:scalance_w700_ieee_802.11n:-:*:*:*:*:*:*:*

    • Configuration 18:
  • cpe:/o:siemens:scalance_w1700_ieee_802.11ac_firmware:*:*:*:*:*:*:*:*
  • AND
  • cpe:/h:siemens:scalance_w1700_ieee_802.11ac:-:*:*:*:*:*:*:*

    • Configuration 19:
  • cpe:/o:siemens:scalance_w1750d_firmware:*:*:*:*:*:*:*:* (Version < 8.7.1.3)
  • AND
  • cpe:/h:siemens:scalance_w1750d:-:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::nfv:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:8::realtime:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/h:cisco:ip_conference_phone_8832:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:ip_phone_8861:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:ip_phone_8865:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:wireless_ip_phone_8821:-:*:*:*:*:*:*:*
  • OR cpe:/h:cisco:ip_phone_6861:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20214140
    P
    		RHSA-2021:4140: kernel-rt security and bug fix update (Moderate)
    2021-11-09
    oval:com.redhat.rhsa:def:20214356
    P
    		RHSA-2021:4356: kernel security, bug fix, and enhancement update (Moderate)
    2021-11-09
    BACK
    samsung galaxy i9305 firmware 4.4.4
    samsung galaxy i9305 -
    arista c-250 firmware *
    arista c-250 -
    arista c-260 firmware *
    arista c-260 -
    arista c-230 firmware *
    arista c-230 -
    arista c-235 firmware *
    arista c-235 -
    arista c-200 firmware *
    arista c-200 -
    arista c-120 firmware *
    arista c-120 -
    arista c-130 firmware *
    arista c-130 -
    arista c-100 firmware *
    arista c-100 -
    arista c-110 firmware *
    arista c-110 -
    arista o-105 firmware *
    arista o-105 -
    arista w-118 firmware *
    arista w-118 -
    arista c-75 firmware -
    arista c-75 -
    arista o-90 firmware -
    arista o-90 -
    arista c-65 firmware -
    arista c-65 -
    arista w-68 firmware -
    arista w-68 -
    siemens scalance w700 ieee 802.11n firmware *
    siemens scalance w700 ieee 802.11n -
    siemens scalance w1700 ieee 802.11ac firmware *
    siemens scalance w1700 ieee 802.11ac -
    siemens scalance w1750d firmware *
    siemens scalance w1750d -
    cisco ip conference phone 8832 -
    cisco ip phone 8861 -
    cisco ip phone 8865 -
    cisco wireless ip phone 8821 -
    cisco ip phone 6861 -