CVE-2020-24586 Overview
CVE-2020-24586 is a protocol-level vulnerability in the IEEE 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) as well as Wired Equivalent Privacy (WEP). The vulnerability stems from the specification not requiring that received fragments be cleared from memory after a device (re)connects to a network. Under certain circumstances, when another device sends fragmented frames encrypted using WEP, CCMP, or GCMP, this flaw can be exploited to inject arbitrary network packets and potentially exfiltrate user data.
This vulnerability is part of a broader set of flaws collectively known as "FragAttacks" (fragmentation and aggregation attacks), which affect virtually all Wi-Fi implementations across multiple vendors and operating systems.
Critical Impact
Attackers within adjacent network range can exploit this fragment cache vulnerability to inject malicious packets or intercept sensitive user data on Wi-Fi networks using WPA, WPA2, WPA3, or WEP encryption.
Affected Products
- IEEE 802.11 Standard (All versions supporting fragmentation)
- Linux Kernel (mac80211 subsystem)
- Intel Wi-Fi Adapters (AX210, AX201, AX200, AC 9560, AC 9462, AC 9461, AC 9260, AC 8265, AC 8260, AC 3168, AC 7265, AC 3165, AX1675, AX1650, AC 1550)
- Arista Access Points (C-200, C-230, C-235, C-250, C-260 series)
- Debian Linux 9.0
Discovery Timeline
- May 11, 2021 - CVE-2020-24586 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-24586
Vulnerability Analysis
This vulnerability exists at the protocol specification level within the IEEE 802.11 standard itself, making it a design flaw rather than an implementation bug. The 802.11 specification permits Wi-Fi devices to cache received frame fragments until all fragments of a message have arrived and can be reassembled. However, the standard does not mandate that these cached fragments be cleared when a client disconnects and reconnects to a network.
The attack requires the adversary to be within radio range of the target device (adjacent network access). While user interaction is required for successful exploitation, the potential impact includes confidentiality breaches through data exfiltration from the victim's network traffic.
Root Cause
The root cause is a specification deficiency in the IEEE 802.11 standard. When fragmented frames are transmitted over Wi-Fi, the receiving device stores these fragments in a cache until the complete frame can be reassembled. The standard fails to specify that this fragment cache must be cleared upon network reconnection. This allows an attacker to pre-populate the fragment cache with malicious fragments, which may then be combined with legitimate fragments from a subsequent session.
Attack Vector
The attack leverages adjacent network access, meaning the attacker must be within Wi-Fi range of the target. The exploitation scenario involves the following mechanism:
- The attacker waits for or induces a victim to disconnect from a Wi-Fi network
- Before reconnection, the attacker sends specially crafted fragmented frames to the victim's device
- These malicious fragments are cached by the victim's Wi-Fi implementation
- When the victim reconnects and receives legitimate fragmented frames, the cached malicious fragments may be combined with the new legitimate fragments
- This can result in packet injection or data exfiltration depending on the attack scenario
The vulnerability affects frames encrypted with WEP, CCMP (used in WPA2), and GCMP (used in WPA3), demonstrating that even modern encryption protocols do not mitigate this design flaw. For detailed technical analysis, refer to the FragAttacks Official Site and the GitHub FragAttacks Summary.
Detection Methods for CVE-2020-24586
Indicators of Compromise
- Unusual Wi-Fi deauthentication or disassociation frames preceding reconnection events
- Fragmented frame traffic patterns that deviate from normal network behavior
- Unexpected packet injection or network anomalies following client reconnections
Detection Strategies
- Deploy wireless intrusion detection systems (WIDS) capable of monitoring for suspicious fragmentation patterns
- Implement network monitoring to detect anomalous deauthentication attacks that may precede exploitation attempts
- Monitor Wi-Fi client reconnection events for unusual timing or frequency patterns
Monitoring Recommendations
- Enable detailed logging on wireless access points and controllers to capture fragmentation-related events
- Utilize endpoint detection solutions to monitor for unexpected network traffic patterns post-reconnection
- Implement continuous wireless spectrum monitoring in sensitive environments
How to Mitigate CVE-2020-24586
Immediate Actions Required
- Apply firmware and driver updates from affected vendors (Intel, Arista, Linux kernel) that implement fragment cache clearing on reconnection
- Ensure all wireless infrastructure components are updated with patches addressing FragAttacks vulnerabilities
- Review and update wireless security policies to minimize exposure to adjacent network attacks
Patch Information
Multiple vendors have released patches to address this vulnerability by implementing proper fragment cache clearing upon reconnection:
- Intel: Security updates available via Intel Security Advisory SA-00473
- Arista: Firmware updates detailed in Arista Security Advisory #12602
- Linux Kernel: Patches available for the mac80211 subsystem; see Debian LTS Announcements for distribution-specific updates
- Cisco: Guidance available in Cisco Security Advisory
Workarounds
- Use HTTPS and other transport-layer encryption for all sensitive communications to add defense-in-depth
- Consider network segmentation to limit the impact of potential packet injection attacks
- In highly sensitive environments, reduce the use of Wi-Fi fragmentation by adjusting MTU settings where feasible
- Implement strong physical security controls to limit adversary access to within Wi-Fi range
# Example: Update Linux kernel and wireless drivers on Debian-based systems
sudo apt update
sudo apt upgrade linux-image-$(uname -r) firmware-iwlwifi
sudo reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
