During the development of the latest Synopsys Defensics® 802.11ac fuzzing test suites, we discovered a vulnerability in a variety of WPA2-enabled devices. This vulnerability allows unencrypted packets from a source with no WPA2 credentials to be sent to a WPA2-protected network, and then be routed to adjacent networks by the vulnerable WLAN router. By our understanding, this should not happen and will open the door for some possibly problematic exploit situations.
A malicious attacker can send unencrypted packets that will be routed to adjacent networks as regular packets. A response would even be sent back, but it would be encrypted. Since the attacker controls what’s being sent for the network, these encrypted response packets can reveal information about applications or network layouts. We have been able to open the UDP port to a network's NAT and then access the network via the WAN port by using a secondary machine on the WAN port. This means that an attacker can open a UDP connection from the internet to a local network using UDP. The attacker needs only to be in range of the wireless network initially. This vulnerability allows the exploitation of other vulnerabilities that can be mitigated by using protected networks.
We have verified that the vulnerability exists in a wide range of access point devices originating from various vendors. The devices use a variety of chipsets from different manufacturers. As we have access to a limited number of routers/access point devices, we don’t know the exact number of vulnerable devices. We have tested around 20 different devices, 8 of which were found to be vulnerable to this issue. So far, we have not found any WPA3 supporting access points to have this vulnerability.
The following CVEs are related to this vulnerability:
As of this writing, there are no publicly available firmware updates for any of the routers we tested. Many router models proved to be vulnerable at this point are older, legacy models, so it's unlikely that all/many will get patched firmware. In those cases, the best mitigation is to replace the devices.