Support Center > Search Results > SecureKnowledge Details
Check Point Response to Wi-Fi FragAttacks in Quantum Spark appliances Technical Level
Cause
Several CVEs were published on Wi-Fi devices under the name FragAttacks. More information about them can be found at: https://www.fragattacks.com/

The list of new CVEs related to wireless security flaws with fragmented and aggregated frames, is relevant to Check Point Quantum Spark wireless products. All of the vulnerabilities are in the wireless medium and therefore require physical proximity to the appliance and can not be exploited just from any network.

These are the relevant CVEs:
CVE-2020-24586 – Not clearing fragments from memory when (re)connecting to a network
CVE-2020-26144 – Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network)
CVE-2020-26145 – Accepting plaintext broadcast fragments as full frames (in an encrypted network)
CVE-2020-26146 – Reassembling encrypted fragments with non-consecutive packet numbers
CVE-2020-26147 – Reassembling mixed encrypted/plaintext fragments
CVE-2020-24587 – Reassembling fragments encrypted under different keys
CVE-2020-24588 – Accepting non-SPP A-MSDU frames
CVE-2020-26139 – Forwarding EAPOL frames even though the sender is not yet authenticated
CVE-2020-26140 – Accepting plaintext data frames in a protected network
CVE-2020-26141 – Not verifying the TKIP MIC of fragmented frames
CVE-2020-26143 – Accepting fragmented plaintext data frames in a protected network
Solution

This problem was fixed. The fix is included in:

Note: The R77.20.87 and R80.20.25 fixes are Jumbo Hotfixes based on the latest Jumbo release.
The sequence number is different because it is a different branch (until a new public jumbo GA will be available).

Check Point recommends to always upgrade to the most recent version (700 / 1400 / 1500).
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment