The worst of the design flaws allows an aggregation attack in which a malicious attacker can inject extra packets to WLAN frames. A victim is tricked into accessing the attacker’s machine on the internet side, or the victim’s access point contains a vulnerability that allows forwarding EAPOL frames. This attack modifies DNS configuration by sending an ICMPv6 router advertisement.
Fragmentation design flaws allow frame fragments to be reassembled incorrectly. Currently these two vulnerabilities don’t have exploitation usage because they require that the client uses fragmentation, which is not that common. However, it is used with Wi-Fi 6.
Four of the nine implementation flaws involve sending plain text frames into an encrypted network. One the implementation flaws is similar to a CVE discovered by Synopsys using Defensics test suites. The particular USB dongle where a vulnerability was found contained the same chipset used in the access points Synopsys used in its tests. This highlights the complexity of WLAN and how many devices there are out there. When Synopsys found these plain text vulnerabilities, the main focus was on the access point side. And because most access points run Linux, there was no study done on Windows Wi-Fi drivers or the client side.
One of the plain text attacks broadcasted fragments that were parsed as full frames in an encrypted network. Another was almost identical in that the plain text frame fragments were parsed as full frames in an encrypted network. The third plain text attack added EtherType to EAPOL and was handled as an encrypted frame. These plain text attacks are trivial to inject and can be used for exploits.
The remaining five FragAttacks involve mixed fragments. Some are encrypted and some are plain text, processing fragmented frames as full and forwarding EAPOL frames without checking the MIC calculation with TKIP cipher suite (WPA1). All are severe vulnerabilities, and one should necessitate an update to firmware and drivers for wireless LAN equipment.