CVE-2020-24588

Description

The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn't require that the A-MSDU flag in the plaintext QoS header field is authenticated. Against devices that support receiving non-SSP A-MSDU frames (which is mandatory as part of 802.11n), an adversary can abuse this to inject arbitrary network packets.

How to fix CVE-2020-24588

To remediate CVE-2020-24588, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 5.10.46-1 or later

Is CVE-2020-24588 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, < 5.10.46-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.5	CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-24588