This document provides further information on the WLAN vulnerabilities listed in the paper "Framing Frames" (CVE-2022-47522).

Our official safety message on this topic is available on our website.

Topic 1: "Overriding the Victims Security Context / MAC address stealing attacks"

This attack scenario can occur in networks where WLAN clients are not allowed to communicate with each other and 802.1X authentication is performed at the same time. A potential attacker must already be authenticated as a participant in the network and thus have access data for the WLAN network.

This exploits the fact that an attacker who is active in the network with the (cloned) MAC address of the victim can obtain certain data packets for the victim (and steal their contents), which would be sent from the infrastructure to the victim via the WLAN. The victim is previously disconnected from the WLAN by means of a deauthentication attack, or attackers can use the victim's MAC address to perform a login at another AP in the network.

LANCOM Systems recommends separating trusted and untrusted WLAN clients by using different SSIDs and VLAN networks (example configuration in a WLAN controller scenario).

Furthermore, in scenarios with a single access point or WLAN router, the attack can be prevented by activating the function "Protected Management Frames" (see reference manuals LCOS or LCOS LX).

Topic 2: "Leaking frames from the Queue"

Due to a weakness in the implementation of some WLAN stacks, a cloned MAC address is used to suggest to the access point that the device is in power-saving mode. The packets withheld by the access point due to power-saving are then delivered unencrypted.

LANCOM WLAN products with LCOS and LCOS LX are not affected by this behaviour.

Topic 3: "Abusing the queue for Network Disruptions"

By means of a cloned MAC address, it is suggested to the access point that the device is in power-saving mode. If this state is not resolved, a denial-of-service attack occurs because the victim can no longer communicate with the access point. This attack is based on an implementation-independent weakness of the 802.11 standard.

LANCOM Systems is looking into implementing further security measures to prevent the basic execution of this attack.