Skip to main content
marko_teklic's profile

Mon, Oct 16, 2017 6:27 AM

Answered

Severe flaw in WPA2 - cracked

Responses

7 Messages

 • 

306 Points

3 years ago

And here's Meraki's which is excellent IMO:
https://documentation.meraki.com/zGeneral_Administration/Support/802.11r_Vulnerability_(CVE%3A_2017-...

Deathly silence from Ruckus...

16 Messages

 • 

482 Points

3 years ago

From my chat session they plan to take their time... They have a response slated for the second half of today.

222 Messages

 • 

3.6K Points

3 years ago

I guess that depends on where you are......In the UK its already the 2nd half of today :)

16 Messages

 • 

482 Points

I should have specified PDT :P
Not exactly on the ball for a premier wireless vendor nonetheless! 

7 Messages

 • 

306 Points

Exactly. They are one of the last vendors to respond, and not only that, it would appear as though their response won't include links to a fix, unlike every other vendor.

I have budget to replace our Wi-Fi equipment companywide in 2018 and this is the nail in Ruckus' coffin as far as I am concerned.
If the ZD1100 doesn't get a firmware fix today then I'm out.

10 Messages

 • 

372 Points

3 years ago

Here is some additional information:

http://www.revolutionwifi.net/revolut...

2 Messages

 • 

90 Points

3 years ago

Well, based on Meraki's outstanding document, it only appears to be an issue for access points when using 802.11r Fast-BSS Transition.

20 Messages

 • 

344 Points

I'm reading it the same way. From the infrastructure side, if you don't use 802.11r you aren't vulnerable/liable? The other parts are all on the client manufacturers?

16 Messages

 • 

482 Points

Right from the first paragraph:
"Of the ten vulnerabilities, Meraki access points (AP) are only affected by one (CVE: 2017-13082)."

CVE: 2017-13082

802.11r Fast-BSS Transition(FT)

Access Points

32 Messages

 • 

590 Points

Ruckus makes some great gear, but good god do they suck at communicating with their customers - both issues like this and general transparency.

16 Messages

 • 

482 Points

3 years ago

From the white paper:
"Our key reinstallation attack also breaks the PeerKey, group key, and Fast BSS Transition (FT) handshake. The impact depends on the handshake being attacked, and the data-confidentiality protocol in use."

222 Messages

 • 

3.6K Points

3 years ago

No its more than that but maybe not effecting Meraki. For example it effects most Vendors who have Mesh functionality.
This Aruba Blogpost gives a good explanation: http://community.arubanetworks.com/t5/Technology-Blog/WPA2-Key-Reinstallation-Attacks/ba-p/310045

10 Messages

 • 

372 Points

3 years ago

I’m sure someone is justifiying a slow response by saying that the client side must also be updated and that Apple and Google have yet to release a fix. To that person I say, provide me with free ongoing support and I will accept that answer.

I selected Ruckus because I wanted premium support when faced with these kinds of issues. I’m not getting that and we all need to pound this thread, email and call until they release a fix. This is not acceptable.

7 Messages

 • 

306 Points

3 years ago

Still nothing on their security page. Their response to this is a joke.
https://www.ruckuswireless.com/security

7 Messages

 • 

306 Points

3 years ago

If you want a chuckle then email [email protected] and you'll get an Out of Office reply.
Nice to know that security is handled by a single person and that they chose to go on vacation on the day that this vulnerability was to be disclosed.
Ruckus, and other vendors, have known about this vulnerability since July, and also knew well in advance about the disclosure date.

Hi All,

 

I will be on PTO from 14-Oct to 23-Oct would have limited accesst to emails / calls. Please expect delays in my responses.

 

For Security Issues: mail to [email protected]

For any other queries: contact [email protected]

 

Regards,

Hemant Bhatnagar

1 Message

 • 

62 Points

Just for kicks and grins, I found his LinkedIn...  anyone want to pester him on Vaca? https://www.linkedin.com/in/bhatnagarhemant

32 Messages

 • 

590 Points

I had no idea that Ruckus offshored their development.  That explains SO MUCH.  Cheap bastards.  In all my experience with offshore development, there's good tech talent, but they lack a certain amount of imagination.  I don't know if that's the result of an education that values STEM above all else or if it's cultural or what, but I can really see the attitudes I've encountered with Indian devs ("well what user would do that? that makes no sense, don't worry!") being terrible with security ("who would send THAT packet?  That's crazy!  we're following the spec, go away!"). 
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

UltraTraveller keep it Professional.. Charles, we have development centers around the world.  Most DevEng are here in Sunnyvale.
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

A management reply is about to be released, describing your limited exposure to the risks in this WPA2 4 way handshake flaw.
Software patches are also coming out soon for major GA/MR releases of ZD/SZ controller code. 

2 Messages

 • 

114 Points

3 years ago

The agent I spoke to had no idea there was an issue, nor any idea if there would even be a response.  I had him create a ticket at priority 2 and I am waiting on an engineer to call me back.

This is rather frustrating.

3 Messages

 • 

126 Points

Agreed. Especially since this has been a known issue for the manufacturers for a while now. Certainly they should have been quicker at patching the flaw.

3 Messages

 • 

102 Points

3 years ago

I opened a case and called our Rep and was told there will be a patch by the end of the day.

3 Messages

 • 

126 Points

Maybe thats why the Ruckus website is absent of any mentioning the security flaw - probably not posting anything until they have a fix. Pretty damn late to the party if you ask me.

Maybe switching our campus wifi infrastructure to Ruckus was a BAD idea last year. Fortunately I only started with a few buildings. If they don't put out a patch ASAP, it's good riddance Ruckus and Hello Aruba or someone else.

25 Messages

 • 

474 Points

Too bad they didn't tell by the end of which day..

18 Messages

 • 

450 Points

3 years ago

Chatted with a rep who said there will be a "response" by the end of the day.

I, too, don't understand how you can have 2.5 months to come up with something and "wait til the end of the day" is what they came up with.  

You KNOW there is a MAJOR issue.  You KNOW your customers and competitors will be looking at your response.  You know exactly WHEN the announcement will be made.  And yet, you have NOTHING available.  

"At Ruckus Support, we value Security above all else.  The WPA2 vulnerabilities were just released to the public, but Ruckus engineers have had this information for much longer and have been working tirelessly to address, correct, and test patches for all of our systems.  We will have these available very soon.  Thank you for your patience, we want to make sure we get this one right."

There, took me 2 minutes.

3 Messages

 • 

102 Points

I'll bet they copy and paste that for email replies...... 

3 Messages

 • 

148 Points

You're hired!

3 Messages

 • 

80 Points

Dear
Please help with a firmware update for the ZF7363 and ZF7321 models for this new vulnerability found in WPA-2. Is there any way to contact them or all those who are registered will we get an email automatically when they have the update to know that is already available?

3 Messages

 • 

102 Points

You will probably want to open a case or check back here to see if they get one out today.

Brad 

3 Messages

 • 

80 Points

ok, thanks

66 Messages

 • 

1.2K Points

3 years ago

While I agree Ruckus you have had an plenty of notice to address this, Ruckus support - PLEASE do not rush something out the door just to stem the flow of these complaints.  I've been VERY happy with Ruckus code the last few years.  I want code that has been thoroughly tested and is ready for production.  From the few articles I've read today it seems like this is more of a knee jerk reaction as this has only been proven in a lab, but proven none the less and security is not soemthing to take lightly but lets remember CIA, in this instance I also want good code for availalbity purposes.  My business runs on reliable wifi.

3 Messages

 • 

80 Points

3 years ago

Dear
Please help with a firmware update for the ZF7363 and ZF7321 models for this new vulnerability found in WPA-2. Is there any way to contact them or all those who are registered will we get an email automatically when they have the update to know that is already available?