Zyxel security advisory for the key management vulnerabilities of WPA2 protocol

Zyxel_Admin Posts: 26  Freshman Member
edited March 2018 in Smart Home Product

Zyxel is aware of the recently found key management vulnerabilities of the WiFi Protected Access II (WPA2) security protocol, as identified in US-CERT vulnerability note VU#228519 with the vulnerability IDs listed in table 1.

What are the vulnerabilities?

These vulnerabilities affect wireless products that connect to WiFi networks in different ways, depending on the role of products as WiFi clients or servers, as described in table 1 below.

Table 1

Type of attack


Devices impacted

4-way handshake


WiFi clients

Group-key handshake







WiFi clients

802.11r Fast-BSS Transition (FT)


Access points

Peer-key handshake



WiFi clients

It is important to note that an attacker has to be physically nearby and is within the wireless range to exploit these weaknesses.

Please see: https://www.krackattacks.com/#details for more technical information.

How are Zyxel resolving the vulnerabilities?

At Zyxel we treat security as a top priority and we have conducted a thorough investigation and identified a list of vulnerable products within their warranty and support period, as shown in table 2 below. For products not listed, they are not affected to the attacks either because they are not designed to act as WiFi clients, do not support 802.11r Fast-BSS Transition handshake, or do not support peer-key handshake by default.

We are now co-working with WiFi chipset vendors to create a solution, and the patch firmware will be available in the next few weeks or even sooner, provided WiFi chipset vendors will release their patches much earlier.

Please refer to table 2 for the detailed release schedule.

Table 2

Devices ImpactedSeries/ModelHotfix availabilityStandard Availability
WiFi ClientsNWA1100-NH31-Dec 2017Feb 2018
WAP6405N/A1-Nov 2017
WAP6804N/A6-Nov 2017
WAP680616-Nov 2017Feb 2018
WRE220617-Nov 2017Feb 2018
WRE6505 v216-Nov 2017Jan 2018
WRE660630-Nov 2017Feb 2018
Cam3115N/AFeb 2018
NBG-418n v217-Nov 2017Dec 2017
NBG651517-Nov 2017Jan 2018
WAP3205 v3N/ADec 2017
WRE6505 v130-Nov 2017N/A
WRE2205 v215-Dec 2017N/A
Access PointsNWA5301-NJ16-Nov 2017*Feb 2018
NWA5123-AC16-Nov 2017*Feb 2018
WAC6103D-I16-Nov 2017*Feb 2018
WAC6500 series16-Nov 2017*Feb 2018

* The above Access Points (NWA5301-NJ, NWA5123-AC, WAC6103D-I, WAC6500 series) are only affected when managed by NXC2500/5500 with 802.11r enabled. Note that when the mentioned Access Points in standalone mode are not affected because 802.11r is not supported in this mode and therefore, there is no hotfix/solution required. So the available hotfix we release is for NXC2500/NXC5500.

Please click on the link below to download the hotfix for NXC2500/NXC5500.

Download hotfix for NXC2500

Download hotfix for NXC5500

What should I do now to protect myself against the vulnerabilities?

As mentioned previously - It is important to note that an attacker has to be physically nearby and is within the wireless range to exploit these weaknesses. As our business class Access Points support the 802.11r Fast-BSS Transition (FT) handshake, devices supporting this feature are listed in the vulnerability list (table 2). By default, the 802.11r is not enabled in Zyxel Products or Controllers; and the majority of Zyxel customers will not be affected.

For customers who have enabled 802.11r, who are concerned about the security risks, they should disable the 802.11r feature to prevent an attack from taking place. Once the Hotfix has been released, clients wishing to use the 802.11r feature are advised to update as soon as possible to ensure the vulnerability does not affect the security of their network.

For more information and technical details regarding the vulnerabilities please see below references:

1.      US-CERT VU note: https://www.kb.cert.org/vuls/id/228519/

2.      Disclosure by Mathy Vanhoef of imec-DistriNet of KU Leuven: https://www.krackattacks.com/

Please contact your local service representatives if you require further information or assistance. To report a vulnerability, please contact security@zyxel.com.tw

Zyxel will update this advisory when more information is available. 

20 October 2017, Zyxel Home forum team


  • Beat19
    Beat19 Posts: 6  Freshman Member

    You have just modified this list and removed the entry for "NWA1120 series".

    There hasn't been a firmware update.

    What is the reason behind that? Is it not vulnerable anymore? ...all of a sudden? Or just no longer supported?

  • Zyxel_Kelly
    Zyxel_Kelly Posts: 40  Freshman Member
    edited October 2017

    Thanks for your post.
    Currently NWA1123-AC Pro and NWA1123-AC V2 are not affected to the attacks because they are not designed to act as WiFi clients and do not support 802.11r Fast-BSS Transition handshake, therefore "NWA1120 series" be removed from list.

    If you have other questions of WLAN product, you can post on Zyxel Biz WLAN Forum as below:

  • Beat19
    Beat19 Posts: 6  Freshman Member

    @Zyxel_Kelly Thank you for the update. Can you confirm that NWA1123-AC (V1) is not affected either?

  • Zyxel_Kelly
    Zyxel_Kelly Posts: 40  Freshman Member
    @Beat19 ,

    Thank you so much for all your feedback on this event.
    NWA1123-AC(V1) is only affected with client mode,
    and this was an EOL (End of Life) product and no plan to have further software maintenance,
    therefore we suggest not using client mode on NWA1123-AC(V1)  to be free from these vulnerabilities.
  • Beat19
    Beat19 Posts: 6  Freshman Member


    Thank you for taking your time to respond to my questions. NWA1123-AC (v1) is the product that I am using.

    I had no idea it was EOL. Could you please point me to the EOL announcement for this specific product?

    It's not mentioned on the most recent EOL list (listing products from almost the past decade) either: http://static.us.zyxel.com/pdf/2017/zyxel_EOL_list_10_2017.pdf

    I appreciate your support.

  • Zyxel_Kelly
    Zyxel_Kelly Posts: 40  Freshman Member

    There are different phases of EOL(end of life), the document you saw is end of life.

    Before the product end of life, we will end of software maintenance,

    The NWA1123-AC (v1) reaches end of end of software maintenance, not end of life.

    Zyxel fully understand your concern, we will provide a hotfix of NWA1123-AC (v1) and let you know once we release.

    If you have other questions of WLAN product, you can post on Zyxel Biz WLAN Forum as below:

    Thank you for using Zyxel :)

This discussion has been closed.

Consumer Product Help Center