CVE: CVE-2020-24586, CVE-2020-24587, CVE-2020-24588
Summary
Zyxel is aware of the FRagmentation and AGgregation Attacks against WiFi vulnerability (dubbed “FragAttacks”) and is releasing patches for some vulnerable WiFi products. Users are advised to adopt the applicable firmware updates or follow the advice below for optimal protection.
What is the vulnerability?
The FragAttacks vulnerability was identified in the IEEE 802.11 implementation of de-aggregation and de-fragmentation of frames at the receiver in some WiFi devices. Of the twelve CVEs reported by Wi-Fi Alliance®, three affect Zyxel products, namely:
- CVE-2020-24586: Not clearing fragments from memory when (re)connecting to a network
- CVE-2020-24587: Reassembling fragments encrypted under different keys
- CVE-2020-24588: Accepting non-SPP A-MSDU frames
Please refer to the official CVEs for the technical details and severity. Zyxel products are NOT affected by the nine other CVEs (CVE-2020-26139 - CVE-2020-26147) either because they do not use the vulnerable packages or their vulnerable versions.
It is important to note that an attacker has to be physically within the wireless range of the vulnerable device to exploit these weaknesses, thus the impact is relatively limited. According to Wi-Fi Alliance®, there is currently no evidence of the vulnerabilities being used against WiFi users maliciously.
What versions are vulnerable—and what should you do?
After a thorough investigation, we’ve identified the affected products that are within their warranty and support period, as shown in the link here. We are already working with WiFi chip vendors to prepare the patches and will continue to update the advisory as additional information becomes available. We urge users to install the applicable updates when available for optimal protection.
Please note that the table in the link provided does NOT include customized models for internet service providers (ISPs).
If you are an ISP, please contact your Zyxel sales or service representative for further details.
If you are an end-user who received your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.
If you are an end-user who purchased your Zyxel device yourself, please contact your local Zyxel support team or visit our forum for further assistance.
For those vulnerable products with chips and drivers no longer supported by WiFi chip vendors, we recommend that users follow the general security practices below or upgrade their models.
1. Enable WPA2/WPA3 for wireless connections.
2. Use strong, unique connection passwords for every service set identifier (SSID) and change them regularly.
3. Enable firewall rules on the affected device or its connected gateway/firewall, if any.
Affected model list
Please note that the table does NOT include customized models for internet service providers (ISPs).
If you are an ISP, please contact your Zyxel sales or service representative for further details.
If you are an end-user who received your Zyxel device from an ISP, please reach out to the ISP’s support team directly, as the device may have custom-built settings.
If you are an end-user who purchased your Zyxel device yourself, please visit our forum for further assistance.
| Affected model | Model | Patch availability |
|---|---|---|
| AP | NWA110AX | Hotfix available in July 2021 Standard firmware V6.25(ABTG.0) in end of Sep 2021 |
| NWA1123-AC HD | Hotfix available now Standard firmware V6.25(ABIN.0) in end of Sep 2021 |
|
| NWA1123AC PRO | Hotfix available in July 2021 Standard firmware V6.25(ABHD.0) in end of Sep 2021 |
|
| NWA1123-ACv2 | Hotfix available in July 2021 Standard firmware V6.25(ABEL.0) in end of Sep 2021 |
|
| NWA1123ACv3 | Hotfix available in July 2021 Standard firmware V6.25(ABVT.0) in end of Sep 2021 |
|
| NWA1302-AC | Hotfix available in July 2021 Standard firmware V6.25(ABKU.0) in end of Sep 2021 |
|
| NWA210AX | Hotfix available in July 2021 Standard firmware V6.25(ABTD.0) in end of Sep 2021 |
|
| NWA5123-AC | Hotfix available in July 2021 Standard firmware V6.25(AAZY.8) in end of Sep 2021 |
|
| NWA5123-AC HD | Hotfix available now Standard firmware V6.25(ABIM.0) in end of Sep 2021 |
|
| WAC500 | Hotfix available in July 2021 Standard firmware V6.25(ABVS.0) in end of Sep 2021 |
|
| WAC500H | Hotfix available in July 2021 Standard firmware V6.25(ABWA.0) in end of Sep 2021 |
|
| WAC5302D-S | Hotfix available now Standard firmware V6.25(ABFH.8) in end of Sep 2021 |
|
| WAC5302D-Sv2 | Hotfix available now Standard firmware V6.25(ABVZ.0) in end of Sep 2021 |
|
| WAC6103D-I | Hotfix available in July 2021 Standard firmware V6.25(AAXH.0) in end of Sep 2021 |
|
| WAC6303D-S | Hotfix available now Standard firmware V6.25(ABGL.0) in end of Sep 2021 |
|
| WAC6502D-E | Hotfix available in July 2021 Standard firmware V6.25(AASD.0) in end of Sep 2021 |
|
| WAC6502D-S | Hotfix available in July 2021 Standard firmware V6.25(AASD.0) in end of Sep 2021 |
|
| WAC6503D-S | Hotfix available in July 2021 Standard firmware V6.25(AASE.0) in end of Sep 2021 |
|
| WAC6552D-S | Hotfix available in July 2021 Standard firmware V6.25(ABSF.0) in end of Sep 2021 |
|
| WAC6553D-E | Hotfix available in July 2021 Standard firmware V6.25(ABIO.0) in end of Sep 2021 |
|
| WAX510D | Hotfix available in July 2021 Standard firmware V6.25(ABTF.0) in end of Sep 2021 |
|
| WAX610D | Hotfix available in July 2021 Standard firmware V6.25(ABTE.0) in end of Sep 2021 |
|
| WAX650S | Hotfix available in July 2021 Standard firmware V6.25(ABRM.0) in end of Sep 2021 |
|
| Firewall | ATP100W | ZLD 5.01 in end of June 2021 |
| USG FLEX 100W | ZLD 5.01 in end of June 2021 | |
| USG20W-VPN | ZLD 4.64 in end of June 2021 | |
| USG40W | ZLD 4.64 in end of June 2021 | |
| USG60W | ZLD 4.64 in end of June 2021 | |
| CPE | DX4510-B0 | V5.17(ABYL.0)C0 in Q2 2021 |
| EMG1702-T10A | V1.00(ABNZ.1)C0 in Q4 2021 | |
| EMG3425-Q10A | Patch not supported. Please follow the general security practices | |
| EMG3524-T10A | V5.41(ABXU.1)C0 in Q3 2021 | |
| EMG3525-T50B | EMEA: V5.50(ABPM.6)C0 in July 2021 S. America: V5.50(ABSL.0)C0 in Q3 2021 |
|
| EMG5523-T50B | EMEA: V5.50(ABPM.6)C0 in July 2021 S. America: V5.50(ABSL.0)C0 in Q3 2021 |
|
| EMG5723-T50K | V5.50(ABOM.7)C0 in July 2021 | |
| EMG6726-B10A | V5.13(ABNP.6)C0 in Q3 2021 | |
| EMG8726-B50A | V5.13(ABNP.6)C0 in Q3 2021 | |
| EX3510-B0 | V5.17(ABUP.3)C0 in Mar 2021 | |
| EX5501-B0 | V5.15(ABRY.2)C0 in June 2021 | |
| EX5510-B0 | V5.15(ABQX.5)C0 in Q4 2021 | |
| P-660HN-51 | Patch not supported. Please follow the general security practices | |
| VMG1312-T20B | V5.50(ABSB.5)C0 in July 2021 | |
| VMG3625-T50B | V5.50(ABPM.6)C0 in July 2021 | |
| VMG3927-B50A_B60A | V5.15(ABMT.7)C0 in June 2021 | |
| VMG3927-B50B | V5.13(ABLY.6)C0 in Q3 2021 | |
| VMG3927-T50K | V5.50(ABOM.7)C0 in July 2021 | |
| VMG4927-B50A | V5.13(ABLY.6)C0 in Q3 2021 | |
| VMG8623-T50B | V5.50(ABPM.6)C0 in July 2021 | |
| VMG8825-B50A_B60A | V5.15(ABMT.7)C0 in June 2021 | |
| VMG8825-Bx0B | V5.15(ABNY.7)C0 in June 2021 | |
| VMG8825-T50K | V5.50(ABOM.7)C0 in July 2021 | |
| VMG9827-B50A | V5.13(ABLY.6)C0 in Q3 2021 | |
| XMG3927-B50A | V5.15(ABMT.7)C0 in June 2021 | |
| XMG8825-B50A | V5.15(ABMT.7)C0 in June 2021 | |
| ONT | PMG5317-T20B | V5.40(ABKI.4) in Q3 2021 |
| PMG5617GA | V5.40(ABNA.2) in Q3 2021 | |
| PMG5622GA | V5.40(ABNB.2) in Q3 2021 | |
| PMG5705-T10A | Patch not supported. Please follow the general security practices | |
| 5G NR/4G LTE CPE | LTE2566 | Patch not supported. Please follow the general security practices |
| LTE3202-M430 | Patch not supported. Please follow the general security practices | |
| LTE3202-M437 | To be updated | |
| LTE3301-M209 | Patch not supported. Please follow the general security practices | |
| LTE3301-PLUS | V1.00(ABQU.4)C0 in Dec 2021 | |
| LTE3302-M432 | Patch not supported. Please follow the general security practices | |
| LTE3316-M604(v1) | Patch not supported. Please follow the general security practices | |
| LTE3316-M604(v2) | To be updated | |
| LTE4506-M606 | Patch not supported. Please follow the general security practices | |
| LTE5366 | Patch not supported. Please follow the general security practices | |
| LTE5388-M804 | V1.00(ABSQ.3)C0 in Dec 2021 | |
| LTE5388-S905 | V1.00(ABVI.5)C0 in Q4 2021 | |
| LTE7240-M403 | V2.00(ABMG.4)C0 in Dec 2021 | |
| LTE7461-M602 | V2.00(ABQN.4)C0 in Q4 2021 | |
| LTE7480-M804 | V1.00(ABRA.3)C0 in Dec 2021 | |
| LTE7480-S905 | V2.00(ABQT.5)C0 in Q4 2021 | |
| LTE7485-S905 | V1.00(ABVN.5)C0 in Q4 2021 | |
| LTE7490-M904 | V1.00(ABQY.3)C0 in Dec 2021 | |
| NR2101 | V1.00(ABUS.5)C0 in Q4 2021 | |
| NR5101 | V1.00(ABVC.3)C0 in Q4 2021 | |
| NR7101 | V1.00(ABUV.4)C0 in Q4 2021 | |
| WAH7601 | To be updated | |
| WAH7608 | To be updated | |
| WAH7706 | Patch not supported. Please follow the general security practices | |
| WiFi system | AX7501-B0 | V5.15(ABPC.1)C0 in June 2021 |
| WSQ20 (Multy Mini) | V1.00(ABOF.10)C0 in Aug 2021 | |
| WSQ50 (Multy X) | V2.20(ABKJ.6)C0 in Aug 2021 | |
| WSQ60 (Multy Plus) | V2.20(ABND.7)C0 in Aug 2021 | |
| WSR30 (Multy U) | V1.00(ABMY.12)C0 in Sep 2021 | |
| Home router | NBG-418N v2 | To be updated |
| NBG6515 | To be updated | |
| NBG6604 | V1.00(ABIR.8)C0 in Sep 2021 | |
| NBG6615 | Patch not supported. Please follow the general security practices | |
| NBG6817 (Armor Z2) | V1.00(ABCS.11)C0 in Sep 2021 | |
| NBG6818 (Armor G1) | V1.00(ABSC.5)C0 in end of Aug 2021 | |
| NBG7815 (Armor G5) | V1.00(ABSK.7)C0 in end of Aug 2021 | |
| Wireless extender | NWD6505 | To be updated |
| NWD6602 | To be updated | |
| NWD6605 | To be updated | |
| WAP3205 v3 | To be updated | |
| WAP6804 | Patch not supported. Please follow the general security practices | |
| WAP6806 | Patch not supported. Please follow the general security practices | |
| WRE2206 | To be updated | |
| WRE6505 v2 | To be updated | |
| WRE6602 | To be updated | |
| WRE6605 | V1.00(ABKK.6)C0 in Sep 2021 | |
| WX3310-B0 | V1.00(ABSF.2)C0 in Mar 2021 |
Comments
0 comments
Please sign in to leave a comment.