Zyxel security advisory for FragAttacks against WiFi products

Zyxel_Carter Posts: 29  Admin
edited June 15 in Security Advisories

CVE: CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26142, CVE-2020-26143, CVE-2020-26144, CVE-2020-26145, CVE-2020-26146, CVE-2020-26147, CVE-2020-24586, CVE-2020-24587, CVE-2020-24588


Zyxel is aware of the FRagmentation and AGgregation Attacks against WiFi vulnerability (dubbed “FragAttacks”) and is releasing patches for some vulnerable WiFi products. Users are advised to adopt the applicable firmware updates or follow the advice below for optimal protection.

What is the vulnerability?

The FragAttacks vulnerability was identified in the IEEE 802.11 implementation of de-aggregation and de-fragmentation of frames at the receiver in some WiFi devices. There are twelve CVEs reported by Wi-Fi Alliance®, namely:
  • CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
  • CVE-2020-26140: Accepting plaintext data frames in a protected network.
  • CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
  • CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
  • CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.

  • CVE-2020-24586: Not clearing fragments from memory when (re)connecting to a network
  • CVE-2020-24587: Reassembling fragments encrypted under different keys

Please refer to the official CVEs for the technical details and severity.

It is important to note that exploiting these weaknesses is not a trivial task. Specifically, an attacker has to be physically within the wireless range of the vulnerable device, obtain a man-in-the-middle position, and entice user interaction to get the user to click or visit a compromised website. According to Wi-Fi Alliance®, there is currently no evidence of the vulnerabilities being used maliciously against WiFi users.

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the affected products that are within their warranty and support period, as shown in the affected model list. We are already working with WiFi chip vendors to prepare the patches and will continue to update the advisory as additional information becomes available. We urge users to install the applicable updates when available for optimal protection.

For those vulnerable products with chips and drivers no longer supported by WiFi chip vendors, we recommend that users follow the general security practices below or upgrade their models.

1. Enable WPA2/WPA3 for wireless connections.

2. Use strong, unique connection passwords for every service set identifier (SSID) and change them regularly.

3. Enable firewall rules on the affected device or its connected gateway/firewall, if any.

Got a question?

Please contact your local service rep or comment as below.

Revision history

2021-5-12: Initial release

2021-05-17: Updated the vulnerability description, general security practices, and the patch plan of CPE

2021-06-11: Updated the vulnerability description and the affected model list and patch plan of CPE, WiFi system and firewalls.


  • mMontana
    mMontana Posts: 168  Master Member
    edited May 12
    Lots of asterisks on the availability. No explaining rows on the paper.
    And no link to the advisory page...
  • Zyxel_Carter
    Zyxel_Carter Posts: 29  Admin
    edited May 13
    Hi mMontana,

    Thanks for feedback.

    If you have product related to CPE / ONT / 5G NR /4G LTE CPE, please content local support for further assistance.

    About AP / Firewall / WiFi system / Home router / Wireless extender, will update table info when firmware is available.

    For more security advisories info, you can click "Security Advisories" on title bar

    Or you can go to https://www.zyxel.com and click support > security advisories to get more detail information.

  • mMontana
    mMontana Posts: 168  Master Member
    edited May 31
    Hi @Zyxel_Carter well... Maybe I am wrong, but i don't find so satisfying the way Zyxel is managing the security advisories pubblication.
    I mean..
    Two pages...
    the one you suggested for the consultation.
    the "classical one" which report a lot less about devices involved.
    It's quite difficult to reach the classical one, also, maybe because the goal is to give more visibility to the community one but...

    Why two pages? I beg your pardon...
    Three pages. I forgot the one with the product details.
    Only available on community pubblication.
    Why different content (and lacks of important details into one)?

    It seems not easy to understand to me.
    No harsh feeling intended :)

Sign In to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click on this button!