Zyxel security advisory for FragAttacks against WiFi products
CVE: CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26142, CVE-2020-26143, CVE-2020-26144, CVE-2020-26145, CVE-2020-26146, CVE-2020-26147, CVE-2020-24586, CVE-2020-24587, CVE-2020-24588
Summary
Zyxel is aware of the FRagmentation and AGgregation Attacks against WiFi vulnerability (dubbed “FragAttacks”) and is releasing patches for some vulnerable WiFi products. Users are advised to adopt the applicable firmware updates or follow the advice below for optimal protection.
What is the vulnerability?
The FragAttacks vulnerability was identified in the IEEE 802.11 implementation of de-aggregation and de-fragmentation of frames at the receiver in some WiFi devices. There are twelve CVEs reported by Wi-Fi Alliance®, namely:- CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
- CVE-2020-26140: Accepting plaintext data frames in a protected network.
- CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
- CVE-2020-26142: Processing fragmented frames as full frames.
- CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
- CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
- CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
- CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
- CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
- CVE-2020-24586: Not clearing fragments from memory when (re)connecting to a network
- CVE-2020-24587: Reassembling fragments encrypted under different keys
- CVE-2020-24588: Accepting non-SPP A-MSDU frames
Please refer to the official CVEs for the technical details and severity.
It is important to note that exploiting these weaknesses is not a trivial task. Specifically, an attacker has to be physically within the wireless range of the vulnerable device, obtain a man-in-the-middle position, and entice user interaction to get the user to click or visit a compromised website. According to Wi-Fi Alliance®, there is currently no evidence of the vulnerabilities being used maliciously against WiFi users.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the affected products that are within their warranty and support period, as shown in the affected model list. We are already working with WiFi chip vendors to prepare the patches and will continue to update the advisory as additional information becomes available. We urge users to install the applicable updates when available for optimal protection.
Please note that the table in the link provided does NOT include customized models for internet service providers (ISPs).
If you are an ISP, please contact your Zyxel sales or service representative for further details.
If you are an end-user who received your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.
If you are an end-user who purchased your Zyxel device yourself, please contact your local Zyxel support team or comment as below for further assistance.
For those vulnerable products with chips and drivers no longer supported by WiFi chip vendors, we recommend that users follow the general security practices below or upgrade their models.
1. Always use HTTPS to connect to websites and be aware of suspicious links
2. Do not connect to unprotected public WiFi networks.
3. Enable firewall rules on the affected device or its connected gateway/firewall, if any.
4. Enable WPA3-Enterprise to protect your WiFi network, if supported.
5. Use EAP-TLS, PEAP, or TTLS to authenticate a user’s identity, if supported.
6. Enable firewall rules on the affected device or its connected gateway/firewall, if any.
Got a question?
Please contact your local service rep or comment as below.
Revision history
2021-5-12: Initial release
2021-05-17: Updated the vulnerability description, general security practices, and the patch plan of CPE
2021-06-11: Updated the vulnerability description and the affected model list and patch plan of CPE, WiFi system and firewalls.
2021-8-4: Updated the patch plan of access points as we’re still seeking support from our chip vendor.
2021-8-19: Updated the patch plan of firewalls, ONTs, home routers, and wireless extenders.
2021-9-1: Updated the patch plan of WiFi system, home routers, and wireless extenders
2021-11-9: Updated the patch plan of access points, CPE, ONTs, WiFi system, and wireless extender
Comments
-
Lots of asterisks on the availability. No explaining rows on the paper.And no link to the advisory page...0
-
Hi mMontana,Thanks for feedback.If you have product related to CPE / ONT / 5G NR /4G LTE CPE, please content local support for further assistance.About AP / Firewall / WiFi system / Home router / Wireless extender, will update table info when firmware is available.
For more security advisories info, you can click "Security Advisories" on title bar
Or you can go to https://www.zyxel.com and click support > security advisories to get more detail information.0 -
Hi @Zyxel_Carter well... Maybe I am wrong, but i don't find so satisfying the way Zyxel is managing the security advisories pubblication.I mean..Two pages...the one you suggested for the consultation.And...the "classical one" which report a lot less about devices involved.It's quite difficult to reach the classical one, also, maybe because the goal is to give more visibility to the community one but...Why two pages? I beg your pardon...Three pages. I forgot the one with the product details.Only available on community pubblication.Why different content (and lacks of important details into one)?It seems not easy to understand to me.No harsh feeling intended
0 -
It's august.Several products were stated as "hotfix available in july"*.The annoying asterisk who tells you "but not your download".Can Zyxel please explain why if firewalls Working Firmwares (supported but not released as public, quite) are publicily available via community posts, hotfixes for AP vulnerabilities are not?0
-
17 days later, still "To be updated" on the list of vulnerable devices. And still no patches.It's quite exausting...15 NWA-1123v2 could be shut down due to still lacking of solution of this vulnerability, only for comply to the reaction for the issue.Which was public-available from may, and 100 days later is still open... Moreover, vulnerability was discovered 9 months before by the security researcher, and was "therized" during KRACK paper writing, dated 2017.I know the pool of the attacks is wide, not all have the same level of risk and a lot of devices are not vulnerable to more than 2 or 3 on the dozen of presented, but IMVHO network ICS producers should had solved the issue...0
-
Hi,
Sorry for causing your inconvenience, we're keeping contact and pushing the Chip Vendor to make sure the patch can be released as soon as possible.
Although the FragAttack is a well-known issue, it still requires specific condition like "Man-in-the-Middle" (MITM) which is hard to achieve in the real life. So you can keep using these APs while follow our guidelines above to set strong security settings for your SSIDs and network.
Best Regards,
Richard0 -
Are we customers receiving updates for the issues before January 2022?
0 -
Still no ETA available for NWA 5123 AC and NWA 1123 AC v2?0
-
Hi mMontana:
We're constantly pushing the Chipset Vendor about the fixed patch. And we're also waiting for their feedback.
Once we get the update, we'll upload the patch on our website ASAP.
Best Regards,
Richard0 -
soooooooooooo saaaaaaaaaad... (and unpatched)
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight