This Week In Security: Fragattacks, The Pipeline, Codecov, And IPv6

Some weeks are slow, and the picking are slim when discussing the latest security news. This was not one of those weeks.

First up is Fragattacks, a set of flaws in wireless security protocols, allowing unauthenticated devices to inject packets into the network, and in some cases, read data back out. The flaws revolve around 802.11’s support for packet aggregation and frame fragmentation. The whitepaper is out, so let’s take a look.

Fragmentation and aggregation are techniques for optimizing wireless connections. Packet aggregation is the inclusion of multiple IP packets in a single wireless frame. When a device is sending many small packets, it’s more efficient to send them all at once, in a single wireless frame. On the other hand, if the wireless signal-to-noise ratio is less than ideal, shorter frames are more likely to arrive intact. To better operate in such an environment, long frames can be split into fragments, and recombined upon receipt.

There are a trio of vulnerabilities that are built-in to the wireless protocols themselves. First up is CVE-2020-24588, the aggregation attack. To put this simply, the aggregation section of a wireless frame header is unauthenticated and unencrypted. How to exploit this weakness isn’t immediately obvious, but the authors have done something clever.

First, for the purposes of explanation, we will assume that there is already a TCP connection established between the victim and an attacker controlled server. This could be as simple as an advertisement being displayed on a visited web page, or an image linked to in an email. We will also assume that the attacker is performing a Man in the Middle attack on the target’s wireless connection. Without the password, this only allows the attacker to pass the wireless frames back and forth unmodified, except for the aggregation header data, as mentioned. The actual attack is to send a special IP packet in the established TCP connection, and then modify the header data on the wireless frame that contains that packet.

When the victim tries to unpack what it believes to be an aggregated frame, the TCP payload is interpreted as a discrete packet, which can be addressed to any IP and port the attacker chooses. To put it more simply, it’s a packet within a packet, and the frame aggregation header is abused to pop the internal packet out onto the protected network.

The second protocol-level vulnerability is CVE-2020-24587, the mixed key attack. This one is borderline theoretical, as the stars have to align to be able to pull it off. This could be called the cut-and-paste attack. Or if you prefer, “My voice is my passport, verify me.” In a similar vein, a local attacker can mix encrypted packet fragments together, to achieve an unintended combination, like resending login information to an attacker-controlled server.

The final protocol flaw is CVE-2020-24586, the fragment cache attack. This one is a bit different, as it requires full access to the encrypted wireless network ahead of time. The short explanation is that an attacker sends the first fragment of a fragmented frame, specifying the destination IP address, then disconnects. When a victim sends a fragmented message, the attacker makes sure that the first fragment is dropped, and the frame is reassembled from different clients. It’s another hard-to-pull-off attack.

In addition to these three protocol flaws, there are a handful of vendor dependent vulnerabilities, like CVE-2020-26144, where a wireless frame contains multiple aggregated packets, but appears to be initiating a connection handshake. This handshake is expected to be unencrypted, so it’s processed, and faulty logic results in the aggregated packets also being accepted. A network with this flaw can be trivially port scanned, and malicious connections launched, as the attacker can spoof the source IP of those connections with an outside IP he controls.

Silent as an XcodeGhost

Remember XcodeGhost? Quick refresher, it was a repackaging of Xcode, but included malicious code, so that any iOS app it compiled would also contain malware. It was spread by dropping download links on developer forums and the like, and the big sell was that it downloaded much quicker in China. At the time, it was reported to be responsible for 40 malicious apps. Then Qihoo360 suggested that they had found 344 affected apps, and finally FireEye detected over 4000. Apple’s response to this was radio silence. Now, thanks to the Epic Games lawsuit, we have some insight into the incident.

At the time the released emails were written, Apple knew they had 2500 malicious applications on their app store, and about 128 million impacted users. They apparently began the process of contacting the users via email, but opted to back down, and instead post a notice on the Chinese version of their site. It’s interesting to get the inside scoop on this and a few other security problems. Lawsuit discovery has a way of airing out laundry, dirty and otherwise.

Do Not Fill Plastic Bags with Gasoline

Ransomware has obviously been the hottest thing in computer crime in quite a while. It’s kinda rare, though, for a ransomware attack to affect so many people all at once, like the ransomware attack against Colonial Pipeline. Sources have confirmed to multiple outlets that Colonial paid the ransom of 75 bitcoins, or five million US dollars, apparently within hours of the discovery of the ransomware. Even though recovery efforts started right away, the supply of gasoline to the southeastern US was impacted enough to trigger shortages and a bit of panic buying. There’s a lot that’s still unknown about the attack, but everyone seems to agree that the attack was facilitated by DarkSide, a Ransomware as a Service group based in Russia. It’s unclear who actually launched the attack, or how they initially breached the company.

Wormable Windows

A quartet of serious Windows vulnerabilities got patched this Tuesday, with CVE-2021-31166 being the most serious. That one is a problem in the HTTP provider in Windows 10 and an unknown set of the Windows Server versions. Because it’s a 0-click flaw in an often exposed service, this is considered wormable and very important. You might think that your Windows machines are all behind a firewall, so maybe you could let it slide, right? Stick around and we’ll chat about how your firewall might not be as locked down as you think, at the bottom of the article.

CVE-2021-26419 is a flaw in Internet Explorer 9 and 11. It seems that it can be launched simply by viewing a malicious website. On top of that, this one can potentially be triggered from an office document. If you don’t have a good reason to keep IE around, it might be time to uninstall it altogether.


Part of the Codecov system, the Bash Uploader script, was maliciously modified to send environment variables to a remote server. The breech happened as a result of credentials unintentionally included in a Codecov docker image, that allowed an attacker to make changes to the script. Thankfully, there doesn’t seem to have been any further malicious action included in the modified script, but any secrets that get exported as environment variables in your Codecov build process should be considered compromised.

Clever Airtag Hacks

Apple recently announced and released their new Airtag devices, much to the dismay of Tile and the like. The community has already found some interesting uses for the little gadgets, like using them to send information at about 3 bytes per second. Yes, [Fabian Bräunlein] has invented an Airtag powered 24 baud modem. Really, it’s a microcontroller sending Bluetooth Low Energy packets with one of several public keys to the Apple Find My network. The upside is that you could piggyback on everyone else’s iPhones to dribble data from a sensor somewhere with no Wifi or cell connection.

And on the other hand, you might wonder what happens if you use an airtag as a tracking device. Well, curious reader, naturally someone has already sent an Airtag through the mail. It worked every bit as well as you would hope (or fear), giving fairly constant updated on the location of the package. I can’t help but think about the other possible uses. Sending a kid on a field trip? Throw an Airtag in their pocket to know where they are.

IPv6 security

As a new Starlink customer (review coming soon), and consequently using IPv6 for the first time, I’m excited and a bit concerned by IPv6. The excitement should be obvious, but I’m concerned because so many of our security habits and assumptions don’t necessarily translate to IPv6. For example, you probably know exactly what ports, if any, you’re exposing on your public IPv4 address. Have you stopped and thought about what ports are exposed on your IPv6 addresses? Remember that Windows HTTP hack from above? I fully expect to eventually see a worm that replicates over IPv6, though various means.

There are, thankfully, already some IPv6 port scanning services. It might be worth taking a minute to double-check that your IPv6 firewall is working as intended, if you have IPv6 service. IPv6 is working seamlessly enough that your ISP may have rolled out support without you noticing, but if you are concerned with security, you should notice — we’ve all gotten a bit lax, taking IPv4 NAT routing for granted.

26 thoughts on “This Week In Security: Fragattacks, The Pipeline, Codecov, And IPv6

  1. Wouldn’t it be interesting if this was a self imposed attack (approved or not approved) to get insurance money. Since you mention it is rare to attack so many people at once. Maybe someone knew that the company was insured and would pay up quickly: “According to Reuters, Colonial Pipeline has cyber insurance coverage of at least $15 million.”

    1. Supposedly the part of their systems that were affect was used only for payment but they decided to shut down the whole pipeline because they wouldn’t be able to properly charge customers.

      1. I saw that reported on some non-mainstream sites. Quite possibly true. It makes sense, too. Running for a week without being able to bill for the product shipped would probably kill the company.

        1. It makes sense, until you realize the consequences. Your customers, the entire economy is grinding to a halt because you put profit before making good on your promises and agreements. After Texas this seems to be the second time in a short while where the US discovers the downsides of an almost entirely free market and companies pursuing their own interests at any cost.

  2. I’m perfectly fine with fools filling plastic bags with gasoline and putting it in their cars. Fools hoard items of limited supply which generally hurts everyone. What better way to reprimand their bad behavior than by allowing them to suffer the consequence of their own actions?

      1. It is illegal to transport gasoline in any container that isn’t a gas tank or am certified gas jug. Anyone cashier that allowed for that to happen should have been responsible. Had that shit not happened, there may not have been a shortage

        1. As an Oregonian that would sound reasonable locally, but I know for a fact that many states allow people to pump the gas themselves, and furthermore there is no cashier; they insert their credit card directly into the pump. They don’t interact with anybody before they start pumping, and you can’t dump it back into the pump from the plastic bag.

          1. What is it about the simple act of pumping gas that so intimidates the people of Oregon and New Jersey? Seriously. It’s freaking weird.
            I’ve had multiple out-of-town New Jersey residents actually ask me to pump gas for them. Women, sure whatever… But grown men? Is it beneath you or feel dangerous or something?

  3. “Sending a kid on a field trip? Throw an Airtag in their pocket to know where they are.”

    About 8 years ago my parents went on a road trip from CT to Seattle. Dad was 82, with dementia. Mom was 80 and doesn’t drive. I put a SIM in an old iPhone of mine and monitored their progress using Find my iPhone on the iCloud website.

    Two times I checked on them and they seemed lost, and they needed a little assistance.

  4. “It worked every bit as well as you would hope (or fear), giving fairly constant updated on the location of the package. I can’t help but think about the other possible uses. ”

    Cheap way of getting metrics from a logistics network.

        1. I have to say I was rather annoyed at Quintus when he tossed his discus and broke the priceless statue’s nose. I guess he could have been distracted by Melissa if she happened to be in the vicinity.

  5. “the supply of gasoline to the southeastern US was impacted enough to trigger shortages and a bit of panic buying.”

    No, its was panic buying that caused the shortages. The companies responsible for fuel distribution and sales will keep some fairly large buffers on hand to accommodate disruption in supply chains and to avoid price spikes. But when people start hoarding, those buffers get rapidly depleted, which the distribution companies don’t mind so much because then they can jack up the price themselves.

  6. IPv6 allows us to leave behind the awful mess that was NAT. But relying on NAT alone for security was never a good idea. A proper IPv6 firewall is obviously necessary for internet-reachable IPv6 networks, and all of the SoHo routers I’ve seen that support IPv6 have one that blocks everything incoming either by default or with no option to add permitted traffic.

    1. Not sure I’d call NAT a mess at all, just a pain in the arse at times to get working (particularly on the shit network gear ISP’s fob you off with and force you to use). But its highly useful and while it shouldn’t be your only security that element of it has made the grandparents who barely understand anything electronic able to just pay for and plug in with reasonable safety without any understanding.

      IPv6 concerns me for that last reason most of all, the technically competent will hopefully check and manage it properly, but those that just don’t understand tech at all, not just grandparents, though mine are very frustrating to be remote tech support for so sprung to mind, will not. That is potentially every device in their house with no protection at all just asking to be abused by the scumbags on the internet.

  7. Well, pants. I hoped that a petrochemical company would have the balls to deal with the problem themselves. I guess $5m is pretty small for them – cyber insurance to $5m is only about $1k/year.
    Hopefully someone is tracking those 75 bitcoins and will hunt down the perps.

    1. Completely right, but to add to that, many if not most breech-loading guns had at least crude cartridges (some were just prepared packages of paper around the shot and powder).

  8. It’s been known for a very long time that having machines with IPv6 unconfigured is a problem. If you do not have IPv6 deployed and functional at the core of your private/secure network(s) you are vulnerable to a number or attacks. Networks taken over, firewalls/filtering bypassed, all sorts of neat problems. Nothing like seeing a bank without some basic core IPv6 config in place…. 🙂

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.