Peplink has identified vulnerabilities in some of its products related to the manipulation of transmit queues in the 802.11 standards, regarding the Framing Frames research paper. In the context of the 802.11 standards, transmit queues refer to the buffers that hold outgoing data frames waiting to be transmitted by a wireless network interface.
Wireless devices such as access points and client devices often have multiple transmit queues to manage different types of traffic, such as data, voice, and video. Each queue may have its own priority level, and frames in higher-priority queues are typically transmitted before those in lower-priority queues.
The IEEE 802.11 standard defines several access categories (AC) to classify different types of traffic, and each AC has its own transmit queue. The ACs are assigned different priorities based on their intended use and the quality of service (QoS) requirements of the traffic. For example, real-time traffic such as voice and video usually have a higher priority than data traffic. By managing the transmit queues and their priorities, wireless devices can optimize the use of available network resources and provide a better quality of service to users.
Peplink’s Findings
Specifically, Peplink found the following with relation to some of their products:
- Section 3 – Leaking Frames from the Wi-Fi Queue: Some Peplink models that have Wi-Fi AP function may be vulnerable to leaking frames from the Wi-Fi queue, while others may not. Stay tuned to this forum post as Peplink will provide a list of affected models.
- Section 4 – Abusing the Queue for Network Disruptions: Peplink models are vulnerable to abusing the queue for network disruptions.
- Session 5 – Overriding the Victim’s Security Context: For the attack to be successful, the attacker must possess valid network credentials, impeccable timing, and even if the attacker receives frames, they are of minimal value in modern secured networks.
Impact and Severity
The attacker takes advantage of the fact that they can intercept certain data packets intended for the victim, steal their contents and obtain sensitive information by using the same MAC address as the victim. This can be done by disconnecting the victim from the WLAN through a deauthentication attack or logging in at another AP in the network using the victim’s MAC address. In a securely configured network, this attack is considered opportunistic and the information that the attacker can obtain is of minimal value.
Mitigations
To better prevent this attack, Peplink recommends separating trusted and untrusted WLAN clients by using different SSIDs and VLAN networks; enabling the “Management Frame Protection”; and using higher-layer encryption, such as TLS and HTTPS, which can prevent sensitive information from being exposed to attackers.