Check Point Response to Wi-Fi FragAttacks in Quantum Spark appliances

Cause

Several CVEs were published on Wi-Fi devices under the name FragAttacks. More information about them can be found at: <https://www.fragattacks.com/&gt;

The list of new CVEs related to wireless security flaws with fragmented and aggregated frames, is relevant to Check Point Quantum Spark wireless products. All of the vulnerabilities are in the wireless medium and therefore require physical proximity to the appliance and can not be exploited just from any network.

These are the relevant CVEs:
CVE-2020-24586 – Not clearing fragments from memory when (re)connecting to a network
CVE-2020-26144 – Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network)
CVE-2020-26145 – Accepting plaintext broadcast fragments as full frames (in an encrypted network)
CVE-2020-26146 – Reassembling encrypted fragments with non-consecutive packet numbers
CVE-2020-26147 – Reassembling mixed encrypted/plaintext fragments
CVE-2020-24587 – Reassembling fragments encrypted under different keys
CVE-2020-24588 – Accepting non-SPP A-MSDU frames
CVE-2020-26139 – Forwarding EAPOL frames even though the sender is not yet authenticated
CVE-2020-26140 – Accepting plaintext data frames in a protected network
CVE-2020-26141 – Not verifying the TKIP MIC of fragmented frames
CVE-2020-26143 – Accepting fragmented plaintext data frames in a protected network

Solution

This problem was fixed. The fix is included in:

• R77.20.87 Build 990172913 for 700/900/1400 Appliances
• R80.20.25 Build 992002136 for 1500 Appliances
• R80.20.30 for Quantum Spark Appliances
  Note: The R77.20.87 and R80.20.25 fixes are Jumbo Hotfixes based on the latest Jumbo release.
  The sequence number is different because it is a different branch (until a new public jumbo GA will be available).

Check Point recommends to always upgrade to the most recent version (700 / 1400 / 1500).