CVE-2020-26144 MEDIUM

Published: 2021-05-11 | Last Modified: 2026-04-14 | Status: Modified

Description

An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first 8 bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.

Additional Descriptions (1)

Se detectó un problema en los dispositivos Samsung Galaxy S3 i9305 versión 4.4.4. Las implementaciones WEP, WPA, WPA2 y WPA3 aceptan tramas A-MSDU de texto plano siempre que los primeros 8 bytes correspondan a un encabezado RFC1042 válido (es decir, LLC/SNAP) para EAPOL. Un adversario puede abusar de esto para inyectar paquetes de red arbitrarios independientemente de la configuración de la red

CVSS Metrics

Base Score: 6.5 (MEDIUM)

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector	ADJACENT_NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	NONE
Integrity Impact	HIGH
Availability Impact	NONE

Source: [email protected]

Type: Primary

Exploitability Score: 2.8

Impact Score: 3.6

Base Score: 3.3 (LOW)

AV:A/AC:L/Au:N/C:N/I:P/A:N

Access Vector	ADJACENT_NETWORK
Access Complexity	LOW
Authentication	NONE
Confidentiality Impact	NONE
Integrity Impact	PARTIAL
Availability Impact	NONE

Source: [email protected]

Type: Primary

Exploitability Score: 6.5

Impact Score: 2.9

Weaknesses

Source	Type	Description
[email protected]	Primary	en CWE-20

Affected Products

Vendor	Product	Version	Update	Type
samsung	galaxy_i9305_firmware	4.4.4	<built-in method update of dict object at 0x72a9cc625680>	Operating System
arista	c-250_firmware	*	<built-in method update of dict object at 0x72a9b0db7040>	Operating System
arista	c-260_firmware	*	<built-in method update of dict object at 0x72a9b0db5d40>	Operating System
arista	c-230_firmware	*	<built-in method update of dict object at 0x72a9cc627300>	Operating System
arista	c-235_firmware	*	<built-in method update of dict object at 0x72a9cc624280>	Operating System
arista	c-200_firmware	*	<built-in method update of dict object at 0x72a9cc6244c0>	Operating System
arista	c-120_firmware	*	<built-in method update of dict object at 0x72a9b0db5f80>	Operating System
arista	c-130_firmware	*	<built-in method update of dict object at 0x72a9cc7ef680>	Operating System
arista	c-100_firmware	*	<built-in method update of dict object at 0x72a9b0db4780>	Operating System
arista	c-110_firmware	*	<built-in method update of dict object at 0x72a9cc626100>	Operating System
arista	o-105_firmware	*	<built-in method update of dict object at 0x72a9b0c990c0>	Operating System
arista	w-118_firmware	*	<built-in method update of dict object at 0x72a9b0db5100>	Operating System
arista	c-75_firmware	-	<built-in method update of dict object at 0x72a9cc557140>	Operating System
arista	o-90_firmware	-	<built-in method update of dict object at 0x72a9b0794c80>	Operating System
arista	c-65_firmware	-	<built-in method update of dict object at 0x72a9b0794480>	Operating System
arista	w-68_firmware	-	<built-in method update of dict object at 0x72a9b07975c0>	Operating System
siemens	scalance_w700_ieee_802.11ax_firmware	*	<built-in method update of dict object at 0x72a9b0c9b440>	Operating System
siemens	scalance_w700_ieee_802.11n_firmware	*	<built-in method update of dict object at 0x72a9b0db5800>	Operating System

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:samsung:galaxy_i9305_firmware:4.4.4:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:samsung:galaxy_i9305:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:c-250_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:c-250:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:c-260_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:c-260:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:c-230_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:c-230:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:c-235_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:c-235:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:c-200_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:c-200:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:c-120_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:c-120:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:c-130_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:c-130:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:c-100_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:c-100:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:c-110_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:c-110:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:o-105_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:o-105:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:w-118_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:w-118:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:c-75_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:c-75:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:o-90_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:o-90:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:c-65_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:c-65:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:arista:w-68_firmware:-:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:arista:w-68:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:scalance_w700_ieee_802.11ax_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:scalance_w700_ieee_802.11ax:-:::::::*`

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:o:siemens:scalance_w700_ieee_802.11n_firmware::::::::`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:h:siemens:scalance_w700_ieee_802.11n:-:::::::*`

References

http://www.openwall.com/lists/oss-security/2021/05/11/12
Source: [email protected]

Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf
Source: [email protected]

Third Party Advisory
https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md
Source: [email protected]

Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu
Source: [email protected]

Third Party Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63
Source: [email protected]

Third Party Advisory
https://www.fragattacks.com
Source: [email protected]

Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/11/12
Source: af854a3a-2127-422b-91ae-364da2661108

Mailing List Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://www.fragattacks.com
Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory
https://cert-portal.siemens.com/productcert/html/ssa-019200.html
Source: 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e
https://cert-portal.siemens.com/productcert/html/ssa-913875.html
Source: 0b142b55-0307-4c5a-b3c9-f314f3fb7c5e