Zyxel security advisory for the key management vulnerabilities of WPA2 protocol

Zyxel_Forum_Admin
Zyxel_Forum_Admin Posts: 125  Admin
First Anniversary 10 Comments Friend Collector
edited February 2021 in Security Advisories

Zyxel is aware of the recently found key management vulnerabilities of the WiFi Protected Access II (WPA2) security protocol, as identified in US-CERT vulnerability  note VU#228519, with the vulnerability IDs listed in table 1.

What are the vulnerabilities?

These vulnerabilities affect wireless products that connect to WiFi networks in different ways, depending on the role of products as WiFi clients or servers, as described in table 1 below.

Table 1.


Type of attack

CVE IDs

Devices impacted

4-way handshake

CVE-2017-13077

WiFi clients

Group-key handshake

CVE-2017-13078

CVE-2017-13079

CVE-2017-13080

CVE-2017-13081

CVE-2017-13087

CVE-2017-13088

WiFi clients

802.11r Fast-BSS Transition (FT)

CVE-2017-13082

Access points

Peer-key handshake

CVE-2017-13084

CVE-2017-13086

WiFi clients

 

It is important to note that an attacker has to be physically nearby and is within the wireless range to exploit these weaknesses.[1]

Please see: https://www.krackattacks.com/#details for more technical information.

How are Zyxel resolving the vulnerabilities?

At Zyxel we treat security as a top priority and we have conducted a thorough investigation and identified a list of vulnerable products within their warranty and support period, as shown in table 2 below. For products not listed, they are not affected to the attacks either because they are not designed to act as WiFi clients, do not support 802.11r Fast-BSS Transition handshake, or do not support peer-key handshake by default.

We are now co-working with WiFi chipset vendors to create a solution, and the patch firmware will be available in the next few weeks or even sooner, provided WiFi chipset vendors will release their patches much earlier. 

Please refer to table 2 for the detailed release schedule.

Table 2


Devices Impacted

Series/Model

Hotfix Availability

Standard Availability

WiFi Clients

NWA1100-NH

31-Dec 2017

Feb 2018 or sooner

Access Points

NWA5301-NJ*

16-Nov 2017

Feb 2018 or sooner

NWA5123-AC*

16-Nov 2017

Feb 2018 or sooner

WAC6103D-I*

16-Nov 2017

Feb 2018 or sooner

WAC6500 series*

16-Nov 2017

Feb 2018 or sooner

* The above Access Points (NWA5301-NJ, NWA5123-AC, WAC6103D-I, WAC6500 series) are only affected when managed by NXC2500/5500 with 802.11r enabled. Note that when the mentioned Access Points in standalone mode are not affected because 802.11r is not supported in this mode and therefore, there is no hotfix/solution required. So the available hotfix we release is for NXC2500/NXC5500.

Please click on the link below to download the hotfix for NXC2500/NXC5500. 

Download hotfix for NXC2500

Download hotfix for NXC5500



What should I do now to protect myself against the vulnerabilities?


As mentioned previously - It is important to note that an attacker has to be physically nearby and is within the wireless range to exploit these weaknesses. As our Business class Access Points support the 802.11r Fast-BSS Transition (FT) handshake, devices supporting this feature are listed in the vulnerability list (table 2). By default, the 802.11r is not enabled in Zyxel Products or Controllers; and the majority of Zyxel customers will not be affected.

For customers who have enabled 802.11r, who are concerned about the security risks, they should disable the 802.11r feature to prevent an attack from taking place. Once the Hotfix has been released, clients wishing to use the 802.11r feature are advised to update as soon as possible to ensure the vulnerability does not affect the security of their network.

For more information and technical details regarding the vulnerabilities please see below references:

1.      US-CERT VU note: https://www.kb.cert.org/vuls/id/228519/

2.      Disclosure by by Mathy Vanhoef of imec-DistriNet of KU Leuven: https://www.krackattacks.com/

Zyxel will update this advisory when more information is available. 


Comments

  • kidalabama
    kidalabama Posts: 5  Freshman Member
    First Comment
    I have got nwa1100-nh ap but known issues not resolved long time.

    www.zyxel.com
    Known Issue:
    1.[Spec issue] Users will not be able to select channel when wireless interface is disabled.
    2.[Spec issue] The log should not be cleared after AP reboot.
    3.[Spec issue] When device operating in client mode , LAN port device will not get IP address when the  DHCP server uses unicast.
    4. Sometimes Telnet service is not available after changing secure access control settings on AP.


  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited May 2018
    Hi @kidalabama

    Thanks for your sharing. Here is our reply for each item.
    1. When the interface is enable, we can select the channel.
    2. We support syslog server and email. You can send out the logs via the settings.
    3. Almost of the servers are using broadcast now. You can use static IP address if needed.
    4. NXC and AP support GUI. We can configure all the settings via GUI. Do you have any specific usage which must under Telnet?
    By the way, since this place is for new and release, you can post your comment at discussions. 
    Here is the link.
    https://businessforum.zyxel.com/categories/wlan-discussions
    Thanks.

    Joslyn
  • kidalabama
    kidalabama Posts: 5  Freshman Member
    First Comment
    edited December 2018
    3. I DON'T WANT USE STATIC IP.
    I WANT USE DHCP AND NEW FIRMWARE WITH SOLVED PROBLEMS. 2.13 firmware.


    PLEASE READ2.12 FIRMWARE KNOWN ISSUE.


  • Hedy
    Hedy Posts: 7  Freshman Member
    First Anniversary First Comment
    I deployed several NWA1100-NH in my environment. All of them are DHCP clients; however, I did not meet the issue as the spec described. I thought most of the DHCP servers are using broadcast, not unicast. If you meet the DHCP server using unicast, I thought applying static IP address is also a good idea because it is easy to manage APs. No worry about losing the DHCP table. Or maybe use another DHCP server with broadcast?
  • kidalabama
    kidalabama Posts: 5  Freshman Member
    First Comment
    edited December 2018
    i am using as client mode.  zyxel is detected this problem and writing new firmware info as described KNOWN ISSUES. but not created new firmware with solved known issues. zyxel=problem.
  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi,

    We know the issue; however, there is no fix plan so far. So, we have two suggestions for you to resolve this kind of situation.
    1. Use static IP address for each client.
    2. Use a DHCP server with broadcast flag.
    Apologize to cause you any inconvenience.
    Thanks.

    Joslyn
  • kidalabama
    kidalabama Posts: 5  Freshman Member
    First Comment
    Please add fix plan. I am already added static ip but this is very hard.
  • Zyxel_Joslyn
    Zyxel_Joslyn Posts: 360  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi,

    We don't have fix plan for this issue. Please use our suggestion as workaround.
    Apologize to cause your any inconvenience.
    Thanks.

    Joslyn