Preface: A Mesh Basic Service Set (MBSS) is a self-contained wireless network created by a group of interconnected mesh stations (STAs). Each mesh station can act as both an access point and a mesh node, enabling communication and data sharing within the mesh network. The MBSS uses a “mesh profile” to define the network’s characteristics, including a Mesh ID and other parameters. Unlike traditional Wi-Fi setups that rely on a single router, mesh networks create a more resilient, decentralized system.
Background: FragAttacks, short for Fragmentation and Aggregation attacks, are a category of Wi-Fi vulnerabilities that exploit design flaws in how Wi-Fi devices handle data packets. These flaws affect a wide range of Wi-Fi devices, potentially allowing attackers to steal information or disrupt network services.
Vulnerability details: IEEE P802.11-REVme D1.1 through D7.0 allows FragAttacks against mesh networks. In mesh networks using Wi-Fi Protected Access (WPA, WPA2, or WPA3) or Wired Equivalent Privacy (WEP), an adversary can exploit this vulnerability to inject arbitrary frames towards devices that support receiving non-SSP A-MSDU frames. NOTE: this issue exists because of an incorrect fix for CVE-2020-24588. P802.11-REVme, as of early 2025, is a planned release of the 802.11 standard.
Ref: CVE-2020-24588: The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.
Official announcement: For details, please refer to the link –