CVE-2022-47522 Overview
CVE-2022-47522 is a protocol-level vulnerability affecting the IEEE 802.11 specifications through 802.11ax (Wi-Fi 6). This authentication spoofing flaw allows physically proximate attackers to intercept target-destined frames—potentially including cleartext data—by exploiting a design weakness in how access points handle Power Save mode transitions and security context management.
The attack methodology involves spoofing a target client's MAC address, sending Power Save frames to the access point, and then transmitting authentication or re-association frames to remove the target's original security context. This behavior stems from the specifications not requiring access points to purge their transmit queue before removing a client's pairwise encryption key.
Critical Impact
Attackers within physical proximity can intercept and potentially decrypt network traffic destined for legitimate Wi-Fi clients by manipulating the access point's frame handling behavior.
Affected Products
- IEEE 802.11 specifications through 802.11ax
- SonicWall TZ Series Firewalls (TZ270, TZ270W, TZ300, TZ300P, TZ300W, TZ350, TZ350W, TZ370, TZ370W, TZ400, TZ400W, TZ470, TZ470W, TZ500, TZ500W, TZ570, TZ570P, TZ570W, TZ600, TZ600P, TZ670)
- SonicWall SOHO 250 and SOHO 250W
- SonicWall SonicWave Access Points (224W, 231C, 432O, 621, 641, 681)
Discovery Timeline
- April 15, 2023 - CVE-2022-47522 published to NVD
- February 6, 2025 - Last updated in NVD database
Technical Details for CVE-2022-47522
Vulnerability Analysis
This vulnerability represents a fundamental design flaw in the IEEE 802.11 wireless networking specifications. The core issue lies in the protocol's handling of client state transitions during Power Save mode operations and the timing of security context removal.
When a wireless client enters Power Save mode, the access point buffers frames destined for that client. The vulnerability arises because the specification does not mandate that access points purge their transmit queues before removing a client's pairwise encryption key. An attacker can exploit this race condition by sending frames that trigger security context removal while buffered data still exists in the queue.
The attack is classified under CWE-290 (Authentication Bypass by Spoofing), as it allows an attacker to bypass the intended authentication mechanism by spoofing MAC addresses and manipulating protocol state transitions. The adjacent network attack vector requires the attacker to be physically proximate to the target wireless network.
Root Cause
The root cause is a specification-level oversight in the IEEE 802.11 standard. The protocol lacks explicit requirements for access points to:
- Purge buffered frames from the transmit queue before removing a client's pairwise encryption key
- Verify the authenticity of Power Save frame sources beyond MAC address validation
- Maintain cryptographic association between buffered frames and the security context under which they were received
This creates a window of opportunity where an attacker can manipulate the access point's state machine to release buffered frames either in cleartext or encrypted with a key the attacker controls.
Attack Vector
The attack requires the following sequence:
- MAC Address Spoofing: The attacker spoofs the target client's MAC address to impersonate them on the network
- Power Save Frame Injection: The attacker sends Power Save frames to the access point, causing it to buffer frames destined for the target
- Security Context Manipulation: The attacker sends authentication or re-association frames to force the access point to remove the target's original security context
- Frame Interception: As the security context is removed, buffered frames may be transmitted in cleartext or with modified encryption that the attacker can decrypt
This attack methodology exploits the asynchronous nature of frame buffering and key management in 802.11 implementations.
Detection Methods for CVE-2022-47522
Indicators of Compromise
- Unexpected client disassociation or deauthentication events appearing in wireless access point logs
- Rapid succession of Power Save and authentication frames from the same MAC address
- Multiple authentication attempts with MAC address collisions in WLAN controller logs
- Anomalous re-association patterns where clients appear to re-authenticate without prior disconnection
Detection Strategies
- Monitor wireless intrusion detection systems (WIDS) for MAC address spoofing alerts and frame injection attempts
- Implement 802.11w Protected Management Frames (PMF) to detect and prevent management frame spoofing
- Deploy wireless packet capture at access points to identify suspicious Power Save frame patterns
- Correlate client authentication events with expected client behavior baselines
Monitoring Recommendations
- Enable detailed logging on wireless access points and controllers for association/disassociation events
- Configure WIDS/WIPS to alert on rapid client state transitions that may indicate exploitation attempts
- Monitor for Received Signal Strength Indicator (RSSI) anomalies that could indicate a spoofing device at a different physical location
- Implement network behavior analytics to detect unusual traffic patterns following client re-associations
How to Mitigate CVE-2022-47522
Immediate Actions Required
- Apply firmware updates from affected vendors, particularly SonicWall devices listed in SNWLID-2023-0006
- Enable 802.11w Protected Management Frames (PMF) where supported to provide integrity protection for management frames
- Review and segment wireless networks to limit the impact of potential frame interception
- Ensure all sensitive communications over wireless networks use application-layer encryption (TLS/HTTPS)
Patch Information
Vendors have released firmware updates addressing this vulnerability. SonicWall has published security advisory SNWLID-2023-0006 with patches for affected TZ Series, SOHO, and SonicWave products. FreeBSD has also released Security Advisory SA-23:11 addressing this vulnerability in their wireless stack.
Organizations should review the academic research paper published at USENIX Security 2023 for detailed technical analysis and vendor-specific mitigation guidance.
Workarounds
- Enable 802.11w Protected Management Frames (PMF/MFP) to protect management frame integrity where full patches are not yet available
- Use Wi-Fi Alliance Passpoint certified networks where possible for enhanced security
- Implement VPN or application-layer encryption for all sensitive communications over wireless networks
- Reduce wireless coverage to limit the physical area where attackers could position themselves
- Monitor for and alert on unusual client behavior patterns that may indicate active exploitation
# Example: Enable PMF on Linux hostapd
# Edit /etc/hostapd/hostapd.conf
ieee80211w=2 # Required PMF for all clients
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
