Severe flaw in WPA2 - cracked

Hello!  Let's please use this one thread to communicate until formal Ruckus response is posted please, thanks.

Here is what I can tell you after all the other Wi-Fi company announcements that should elliviate some concerns.

Michael, I think you are in the wrong thread.  The thread you just linked to is this very thread.

The issue is related to 802.11r (fast bss-transition) to enhance roaming, which if disabled on WLANs
eliminates vulnerability to attack of AP-to-client traffic.  The krackattacks.com site describe it as:
“it works by exploiting a four-way handshake that's used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.”

WPA2/AES - attacker can decrypt and replay wi-fi packets.
WPA2/Auto-TKIP - attacker can decrypt, replay and inject frames

It requires that the attacker be physically in range of your APs, performing a man-in-the-middle impersonation
of a true AP mac address.

WLAN configuration options on WLANs, default setting is 802.11r Fast Roaming disabled. (SZ 3.5.1).

This is a Client vulnerability issue.  A man-in-the-middle with AP sending your SSID and using your AP
MAC address.  If one of your clients joins this malicious AP, there is a hole in the client that allows the
client to connect even if the passphrase is not correct(!). 

After this happens this, and only this single client, can be sniffed.

Our product is designed to alert Admins if such a rogue AP is present.  Only AP manufacturers who use their
APs as RAPs in Mesh (ie connecting to Guest WLAN) are vulnerable (as Aruba stated).

Things to think about:
1) all current certs and Wi-Fi passwords are still secure (attacker doesn't get the pw)
2) AES does not allow for code injection (tkip does, don't use it).
3) Android 6 has more issues that might make this attack easier.
4) Disabling 802.11r will mitigate the attack
5) Patching either side (client or distribution system) stops the attack from happening on WLAN
6) MITM attacks can happen if attacker inserts a new cert, end user is prompted with cert error.
7) Do not move to WEP

Still waiting for a corporate Security message I can post to Support and will share here.  Thanks.

Any updates on a timeline for this patch?  My customers are screaming!

The first official advisory is from our Cloudpath ES Security product team:

https://support.ruckuswireless.com/documents/2039-faq-security-advisory-cp-101617-802-11r-vulnerabil...

Please view security bulletin posted this afternoon:

https://support.ruckuswireless.com/documents/2040-faq-security-bulletin-101617-wpa2-vulnerability-kr...

So do users need to have some support contract to work with a ZD1105?

Ruckus, where are the firmware updates?! This is a pathetic response.
Almost every other manufacturer has firmware fixes available and you don’t. Even Netgear does for their consumer routers!
It is beyond belief that you clearly did not take this seriously, and STILL don’t it would seem.
Time to dump Ruckus. This is not an enterprise product, and certainly not enterprise level support.

My issue is more a fact that the advisory doesn't state when a fix will be available. How can i go to my customers with anything unless i can give them a timescale on firmware patch?

This is my first touch with Ruckus.
A month ago, I inherited a position in a company where the wireless network is done with 6x Ruckus R500 Wireless APs.
Yesterday I contacted Ruckus support and they promised firmware by the end of the day. I have to say, that first impression I got from Ruckus is not an enterprise class and will probably move to ubiquiti.

hi,

I have read the Ruckus Security Advisory and also
https://theruckusroom.ruckuswireless.com/wi-fi/2017/10/16/commonsense-approach-uncommon-problem/ and many other stuff.

This all show ruckus in a very bad light. Can we still trust?

Ruckus was informed many weeks/months ago about this issue and the disclosure date.

But the customers was left alone!!

I was informed since two day's (CET timezone) about this issue. I waited for
the public disclosure yesterday and opened a case at ruckus cause no information
about it was found online.

All other major vendors did have the updates ready and informed their customers
at the same time the issue was going public. They had their communication ready
and send it out to their partners and customers at the right time.

Ruckus didn't they don't even inform the partners!!

What I as customer with contract and as partner has expected:

1. No out of office notification if someone mails to your security contact ([email protected])
   This E-mail has to go to an high priorized and monitored queue in an ticket
   system,

2. That your support people and partners would inform one or two day's before
   the public disclosure.

3. That you have the right communication for all your customers ready and put
   it in the right time on the right places (webside, newsletter, twitter...)

4. That you have your firmware fixes ready to deploy and if it is possible
   some advanced monitoring ready for this issue and for broken clients.

What I now expect:

1. really fast update availability, even for older systems and without contract*

2. transparent communication what went wrong and why

3. better documentation and reporting how to fix the problem in our company's,
   not even on the wireless system side:

    * How to detect clients with this problem
    * For which clients are updates available


I'm located in germany, the public  disclosure was now nearly 24hour away,
even the radio stations here  broadcast informations about this issue faster
then you.

At this morning the German Federal Office for Information Security has send out
an public announcement that all people should update their clients and
accesspoints / routers if possible or contact their vendors for updates.

The phones are ringing with customers, cto's and so on. All want to have a
status about this issue and a dead line then it is fixed.

Yes the major problem are the client's, but the accespoints and controllers
should be fixed also and I expect that I get some help from my wireless system
to detect the problem on the clients if I have a managed wireless solution
not one single accesspoint.

Our company has already rolled out the patcheѕ for our clients.
Even microsoft has the patches already in place.

For me it looks like ruckus has ignored the advisory and now the
try to react on it. This has nothing todo with enterprise support!!

There is absolute no excuse for this!!

For me the trust in your security support is gone, and there must
be very good arguments that we will stay with ruckus after our contract
ended.


* cause how it was happend (see what I expected)

Does anyone know how 7731 bridges are affected by this?

Open-Mesh announced they will have a firmware upgrade this afternoon (10/17/2017). Open-Mesh, the product which gives a you free lifetime license for their cloud controller, you just need to purchase the hardware. Not sure why it's taking Ruckus so long.

Ruckus, you better get your crap together and resolve this. You're already being snickered at in a few of the sysadmin mailing lists I'm part of.

In a couple more days those snickers are going to turn into turn into something much more damaging. Because you're such a big player in the wifi market, you're already getting mocked for not having a fix ready when it was announced, but at least right now you're lumped in with tons of other companies.

As the days go on those other companies are going to deliver their patches and you're going to be left out in the rain, tossing excuses and copy pasta to frustrated sysadmins with leftover end of year budgets they'll rightfully decide to spend somewhere else.

We love our Ruckus products but your lack of progress in this matter means to be secure, we may have to turn off our products, and we can't have that in our organization, so we're simply forced to switch vendors.

Is it safe to assume that Ruckus doesn't give a damn about their paying customers right? Since the patches are no were to be seen... I would like to ask the community for Ubiquity recommendations since we'll most likely be moving over.