Severe flaw in WPA2 - cracked

"One researcher told Ars that Aruba and Ubiquiti, ..., already have updates available to patch or mitigate the vulnerabilities."

Well, let's see how fast our support-contract money work..

Some vendors like mikrotik have already rolled out patched versions since weeks:

https://forum.mikrotik.com/viewtopic.php?f=21&t=126695

I too would like an answer to this. And for our patch to be made available quickly. We already have clients asking.

Me too for my R600 Unleashed ...

Yes, this breach is annoying.

But .. have been evangelizing for years that wifi should only be used as transport for VPN (OpenVPN).

Have been trying to find more information like press releases or other material on topics like Ruckus and WPA2 krack. (https://www.krackattacks.com/)

Notice that this all has been released earlier to manufacturers and only now will go public, meaning that only some manufacturers have reacted to research papers: https://eprint.iacr.org/2016/475.pdf
Dated May-17 2016 .. it was all there.

Ruckus, you're late to the party as usual. When will we see firmware updates to address KRACK?

I would dearly love to see this ASAP as we need to start change management procedures.

I've raised a P2 Case (ID: 00565627).

According to the security section of the Ruckus site (https://www.ruckuswireless.com/security) the CVE's covered by Krack have not been addressed.

Kind Regards,


Andy.

This is big, ruckus had better act quickly on this. I also expect them to release patches for some of the older chains of firmware. We have perfectly usable 802.11n access points (7363) in use that are locked to the 9.12.x chain. It would pretty much mean the end of our relationship with ruckus if we were forced to upgrade these for a security patch. 

Aruba has released fixes for older versions of firmware but only ones the deem 'under support'. Ruckus doesn't view firmware in the same way but based on the fact that the recommended 9.13.3.0.121 i would expect them to be going back a little way on the firmware list at least to 9.12 

Yep, end of support for the ZoneDirector 1100 for example is June 30th 2020, and it is stuck on ZD1100 9.10.2.0.29 (MR2 Refresh) Software Release
I would expect an update for this from Ruckus very soon.

My understand is that this issue was something vendors were previously notified about.  So, the fact that there doesn't even appear to be a proposed timeline for a fix is not acceptable - especially since some vendors are already releasing patches.

Very frustrating.

Aruba reports that they were informed by the author of the research paper in July & by CERT in August. Imagine same for all vendors. Plus many (if not all) have been participating in industry level discussions

Pretty annoying issue and surely not the best time to get it public, but I don't get why this issue is still persistent since it was reported to the vendors in August/Septembre.  Actually there's one customer after another calling and asking what they can do and when they can expect a solution. Not cool, to have no answer ready...

Dont forget though that the infrastructure is only part of this issue. Even after controllers & AP's have had a 'fix' applied there are still vulnerabilities from the client side, which is actually the source of the issue, can only be addressed by the client manufacturers. As i understand it, It affects infrastructure vendors because sometimes their AP's act as a client like when using mesh for example.

Here's a link to their FAQ on the issue: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf