Chinese and American researchers from Qinghua and George Mason universities publicly shared information about a vulnerability at wireless access points, which allows attackers to organize traffic management in wireless networks that are protected with the WPA protocols. This vulnerability has been identified as CVE-2022-256667. Through the manipulation of ICMP packets with the flag “Redirect”, attackers can redirect victim traffic inside the wireless network through their system. This can facilitate interception and replacement of unencrypted sessions, such as requests to sites without https.
This vulnerability can be observed at the level of network processors known as NPU (NETWORK Processing Unit), which provides low-level processing of packages in wireless networks. These processors do not have proper protection against SPUPING ICMP packets that can change the parameters of routing tables on the user-victim to redirect the traffic to the attacker host. This attack is performed by sending an ICMP package on behalf of the access point with the flag “Redirect,” indicating false data in the package header. Due to the vulnerability, the message is redirected by the access point and processed by the network stack of the victim, which believes that the message is sent by the access point.
The researchers also proposed a method to bypass checks of ICMP packets with the flag “Redirect” on the side of the final user and change its routing table. To bypass filtering, attackers typically first determine the active UDP port on the victim. While on the same wireless network, the attacker can intercept traffic but cannot decipher it because he does not have the session key used when the victim addresses the access point. Sending the victim testing packages based on the analysis of the incoming ICMP answers with the flag “Destination Unreachable” can determine the active UDP port. After this, the attacker can form an ICMP message with the flag “Redirect” and fake UDP settings that indicate the identified open UDP port. This leads to a distortion of the routing table in the victim and redirect traffic with the possibility of interception in an open form at the channel level.
The findings indicate a severe risk to WPA protocol users as this vulnerability can compromise network security. Meanwhile, experts recommend users stick to the usage of https, which significantly lessens the exposure of traffic interception.