Zyxel security advisory for FragAttacks against WiFi products

CVE: CVE-2020-26139, CVE-2020-26140, CVE-2020-26141, CVE-2020-26142, CVE-2020-26143, CVE-2020-26144, CVE-2020-26145, CVE-2020-26146, CVE-2020-26147, CVE-2020-24586, CVE-2020-24587, CVE-2020-24588

Summary

Zyxel is aware of the FRagmentation and AGgregation Attacks against WiFi vulnerability (dubbed “FragAttacks”) and is releasing patches for some vulnerable WiFi products. Customers are advised to adopt the applicable firmware updates or follow the advice below for optimal protection.

 

What's the vulnerability?

The FragAttack vulnerability was identified in the IEEE 802.11 implementation of de-aggregation and de-fragmentation of frames at the receiver in some WiFi devices. There are twelve CVEs reported by Wi-Fi Alliance®, namely:

  • CVE-2020-26139: Forwarding EAPOL frames even though the sender is not yet authenticated (should only affect APs).
  • CVE-2020-26140: Accepting plaintext data frames in a protected network.
  • CVE-2020-26141: Not verifying the TKIP MIC of fragmented frames.
  • CVE-2020-26142: Processing fragmented frames as full frames.
  • CVE-2020-26143: Accepting fragmented plaintext data frames in a protected network.
  • CVE-2020-26144: Accepting plaintext A-MSDU frames that start with an RFC1042 header with EtherType EAPOL (in an encrypted network).
  • CVE-2020-26145: Accepting plaintext broadcast fragments as full frames (in an encrypted network).
  • CVE-2020-26146: Reassembling encrypted fragments with non-consecutive packet numbers.
  • CVE-2020-26147: Reassembling mixed encrypted/plaintext fragments.
  • CVE-2020-24586: Not clearing fragments from memory when (re)connecting to a network
  • CVE-2020-24587: Reassembling fragments encrypted under different keys
  • CVE-2020-24588: Accepting non-SPP A-MSDU frames

Please refer to the official CVEs for the technical details and severity.

It is important to note that exploiting these weaknesses is not a trivial task. Specifically, an attacker has to be physically within the wireless range of the vulnerable device, obtain a man-in-the-middle position, and entice user interaction to get the user to click or visit a compromised website. According to Wi-Fi Alliance®, there is currently no evidence of the vulnerabilities being used maliciously against WiFi users.

 

What versions are vulnerable—and what should you do?

After a thorough investigation, we’ve identified the affected products that are within their warranty and support period, as shown in the table below. We are already working with WiFi chip vendors to prepare the patches and will continue to update the advisory as additional information becomes available. We encourage customers to install the applicable updates when available for optimal protection.

Please note that the table does NOT include customized models for internet service providers (ISPs).

Affected series/models Patch available in
5G NR/4G LTE CPE
LTE3202-M430 Patch not supported. Please follow the general security practices
LTE3202-M437 To be updated
LTE3301-M209 Patch not supported. Please follow the general security practices
LTE3302-M432 Patch not supported. Please follow the general security practices
LTE3316-M604(v1) Patch not supported. Please follow the general security practices
LTE3316-M604(v2) To be updated
LTE4506-M606 Patch not supported. Please follow the general security practices
LTE5366 Patch not supported. Please follow the general security practices
LTE5388-M804 V1.00(ABSQ.3)C0 in Dec 2021
LTE5388-S905 V1.00(ABVI.5)C0 in Q4 2021*
LTE7240-M403 V2.00(ABMG.4)C0 in Dec 2021
LTE7461-M602 V2.00(ABQN.4)C0 in Q4 2021*
LTE7480-M804 V1.00(ABRA.3)C0 in Dec 2021
LTE7480-S905 V2.00(ABQT.5)C0 in Q4 2021*
LTE7485-S905 V1.00(ABVN.5)C0 in Q4 2021*
LTE7490-M904 V1.00(ABQY.3)C0 in Dec 2021
NR2101 V1.00(ABUS.5)C0 in Q4 2021*
NR5101 V1.00(ABVC.3)C0 in Q4 2021*
NR7101 V1.00(ABUV.4)C0 in Q4 2021*
WAH7601 To be updated
WAH7608 To be updated
WAH7706 Patch not supported. Please follow the general security practices
CPE
AMG1302-T11C V3.00(ABCG.14)C0 in Q4 2021*
DX4510-B0 V5.17(ABYL.0)C0 in Q2 2021*
DX3301-T0 V5.50(ABVY.1)C0 in Q3 2021*
DX5301-B3 V5.17(ABUL.1)C0 in Q4 2021*
DX5401-B0 V5.17(ABYO.1)C0 in Q3 2021*
EMG1702-T10A V1.00(ABNZ.1)C0 in Q4 2021*
EMG3425-Q10A Patch not supported. Please follow the general security practices
EMG3524-T10A V5.41(ABXU.1)C0 in Q3 2021*
EMG3525-T50B EMEA: V5.50(ABPM.6)C0 in Q3 2021*
S. America: V5.50(ABSL.0)C0 in Q3 2021*
EMG5523-T50B EMEA: V5.50(ABPM.6)C0 in Q3 2021*
S. America: V5.50(ABSL.0)C0 in Q3 2021*
EMG5723-T50K V5.50(ABOM.7)C0 in Q3 2021*
EMG6726-B10A V5.13(ABNP.6)C0 in Q3 2021*
EMG8726-B50A V5.13(ABNP.6)C0 in Q3 2021*
EX3301-T0 V5.50(ABVY.1)C0 in Q3 2021*
EX3510-B0 V5.17(ABUP.3)C0 in Mar 2021*
EX5300-B3 V5.17(ABUL.1)C0 in Q4 2021*
EX5301-B3 V5.17(ABUL.1)C0 in Q4 2021*
EX5401-B0 V5.17(ABYO.1)C0 in Q3 2021*
EX5501-B0 V5.15(ABRY.2)C0 in Q3 2021*
EX5510-B0 V5.15(ABQX.5)C0 in Q4 2021*
P-660HN-51 Patch not supported. Please follow the general security practices
VMG1312-T20B V5.50(ABSB.5)C0 in Q3 2021*
VMG3625-T50B V5.50(ABPM.6)C0 in Q3 2021*
VMG3927-B50A_B60A V5.17(ABMT.6)C0 in Q3 2021*
VMG3927-B50B V5.13(ABLY.6)C0 in Q3 2021*
VMG3927-T50K V5.50(ABOM.7)C0 in Q3 2021*
VMG4927-B50A V5.13(ABLY.6)C0 in Q3 2021*
VMG8623-T50B V5.50(ABPM.6)C0 in Q3 2021*
VMG8825-B50A_B60A V5.17(ABMT.6)C0 in Q3 2021*
VMG8825-Bx0B V5.17(ABNY.7)C0 in June 2021*
VMG8825-T50K V5.50(ABOM.7)C0 in Q3 2021*
VMG8924-B10D V5.13(ABGQ.8)C0 in Q4 2021*
VMG9827-B50A V5.13(ABLY.6)C0 in Q3 2021*
XMG3927-B50A V5.17(ABMT.6)C0 in Q3 2021*
XMG8825-B50A V5.17(ABMT.6)C0 in Q3 2021*
ONT
AX7501-B0 V5.17(ABPC.1)C0 in Q3 2021*
PMG5317-T20B V5.40(ABKI.4) in Q3 2021*
PMG5617GA V5.40(ABNA.2) in Q3 2021*
PMG5622GA V5.40(ABNB.2) in Q3 2021*
PMG5705-T10A Patch not supported. Please follow the general security practices
Wireless extenders
WAP6804 Patch not supported. Please follow the general security practices
WAP6807 V.100(ABTB.2)b16_C0 in Q3 2021*
WX3310-B0 V1.00(ABSF.2)C0 in Mar 2021*
WX3100-T0 V5.50(ABVL.0)C0 in Q3 2021*
WX3401-B0 V5.17(ABVE.1)C0 Q3 2021*
*Please reach out to your local Zyxel support team for the file.
**The above list did not include products designed by our affiliate, Zyxel Networks. If you have questions regarding products that are not listed above, please visit here for the complete affected model list and the latest firmware release schedule.

 

For those vulnerable products with chips and drivers no longer supported by WiFi chip vendors, we recommend that customers take the following general security practices or upgrade their devices to a patched model.

  1. Always use HTTPS to connect to websites and be aware of suspicious links.
  2. Do not connect to unprotected public WiFi networks.
  3. Use strong, unique connection passwords for every service set identifier (SSID) and change them regularly.
  4. Enable WPA3-Enterprise to protect your WiFi network, if supported.
  5. Use EAP-TLS, PEAP, or TTLS to authenticate a user’s identity, if supported.
  6. Enable firewall rules on the affected device or its connected gateway/firewall, if any.

 

Got a question or a tipoff?

If you are an ISP with customized models, please contact your Zyxel sales or service representative for further information or assistance. For end-user who acquired your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.

 

Revision history

2021-5-12: Initial release

2021-5-17: Updated the vulnerability description, general security practices, and the patch plan of CPE

2021-6-11: Updated the vulnerability description and the affected model list and patch plan of CPE and WiFi system