Skip to main content
marko_teklic's profile

Mon, Oct 16, 2017 6:27 AM

Answered

Severe flaw in WPA2 - cracked

Responses

Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

3 years ago

Hello!  Let's please use this one thread to communicate until formal Ruckus response is posted please, thanks.

Here is what I can tell you after all the other Wi-Fi company announcements that should elliviate some concerns.

18 Messages

 • 

450 Points

Michael, I think you are in the wrong thread.  The thread you just linked to is this very thread.

1 Message

 • 

80 Points

What other thread? that is this thread...

16 Messages

 • 

482 Points

I am literally face-palming at this point.

2 Messages

 • 

114 Points

Two+ months to get something together and this guy can't even reply in the right thread.

3 Messages

 • 

126 Points

So what is it you can tell us? I'm confused by your statement.

18 Messages

 • 

450 Points

3 years ago

Michael, I think you are in the wrong thread.  The thread you just linked to is this very thread.
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

3 years ago

The issue is related to 802.11r (fast bss-transition) to enhance roaming, which if disabled on WLANs
eliminates vulnerability to attack of AP-to-client traffic.  The krackattacks.com site describe it as:
“it works by exploiting a four-way handshake that's used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.”

WPA2/AES - attacker can decrypt and replay wi-fi packets.
WPA2/Auto-TKIP - attacker can decrypt, replay and inject frames

It requires that the attacker be physically in range of your APs, performing a man-in-the-middle impersonation
of a true AP mac address.

WLAN configuration options on WLANs, default setting is 802.11r Fast Roaming disabled. (SZ 3.5.1).

This is a Client vulnerability issue.  A man-in-the-middle with AP sending your SSID and using your AP
MAC address.  If one of your clients joins this malicious AP, there is a hole in the client that allows the
client to connect even if the passphrase is not correct(!). 

After this happens this, and only this single client, can be sniffed.

Our product is designed to alert Admins if such a rogue AP is present.  Only AP manufacturers who use their
APs as RAPs in Mesh (ie connecting to Guest WLAN) are vulnerable (as Aruba stated).

Things to think about:
1) all current certs and Wi-Fi passwords are still secure (attacker doesn't get the pw)
2) AES does not allow for code injection (tkip does, don't use it).
3) Android 6 has more issues that might make this attack easier.
4) Disabling 802.11r will mitigate the attack
5) Patching either side (client or distribution system) stops the attack from happening on WLAN
6) MITM attacks can happen if attacker inserts a new cert, end user is prompted with cert error.
7) Do not move to WEP

Still waiting for a corporate Security message I can post to Support and will share here.  Thanks.

3 Messages

 • 

184 Points

This is welcome but where are the patches to eliminate the AP side vuln, at big dog paris we were promised a much more responsive Ruckus when it comes to software updates. The fact that the likes of Mikrotik and Ubiquiti have fixes out already is not showing Ruckus in a good light. The other big players in our field have patches as well as an official response out already. The ball has been dropped. Is someone going to pick it up and save the match?

16 Messages

 • 

482 Points

Given the information above, it does not constitute waiting 6 of your PDT working hours (2PM PDT) to produce what was given. There isn't enough clarification given to soundly say simply disabling 802.11r on a Ruckus products will fix the issue either - this was not the full scope of the vulnerability. At this point in the day I am worried about the dismissive tone and action to the issue. I hope the formal security message doesn't ring this way as well.

Put simply, most other vendors have a fix or at the very least a statement as of hours ago on this. Regardless of how critical other vendors thought this would be they have addressed their end. I don't resonate with updating our endpoints instead, turning off the 802.11r feature on our devices, or anything other than fixing the vulnerability through firmware. You should have already deployed your new firmware/patches and put your obligation to rest. It's concerning this is not remotely the case.

1 Message

 • 

60 Points

Has anyone thought about the possibility that they might not have been notified until today? Has anyone seen evidence that RW was notified 2 months ago? This whole thread seems to expect that given 8 hours notice a company can analyze a vulnerability, patch code, do complete regression testing, and release patches. 

18 Messages

 • 

450 Points

They are a major player in the wireless market.  They've said all major players were notified a couple of months ago.  I can't see any possibility where someone forgot a company in the top 5, based on market share.

1 Message

 • 

140 Points

https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

They were given notice at the same time as every other company.

1 Message

 • 

82 Points

3 years ago

Any updates on a timeline for this patch?  My customers are screaming!
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

3 years ago

The first official advisory is from our Cloudpath ES Security product team:

https://support.ruckuswireless.com/documents/2039-faq-security-advisory-cp-101617-802-11r-vulnerabil...

18 Messages

 • 

450 Points

I don't mean to pile-on, now that there is an official response, but...

This advisory is full of grammatical errors, contradictions, and the very first line expresses doubt this is even a problem.  Waiting all this time to come out with this just furthers the idea that there was no plan and someone started slapping this response together at 8am this morning.
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

New updated copy received from PM and posted, thanks.

22 Messages

 • 

582 Points

Thanks for the comments David. Please note this is a Cloudpath response and Cloudpath is not involved in the 4 way WPA2 handshake. Please do look out for a more comprehensive update that will cover Access Points and Controllers soon.

1 Message

 • 

80 Points

Is there an ETA for the update to be posted?
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

3 years ago

18 Messages

 • 

450 Points

Michael, maybe you can clear up some confusion for me on this.  In the bulletin above, Ruckus is saying: "No Ruckus products are affected unless deployed in Mesh or Point-to-Point topologies, or 802.11r is enabled."  

However, a blog post, also from Ruckus, says the following:
  1. Vulnerabilities exist on both sides of the 4-way handshake relationship (client and AP) and both sides need to be patched.
  2. Until client vendors provide updates, disabling 802.11r can help mitigate the attack by eliminating one source of vulnerability (Fast BSS Transitions, otherwise known as 802.11r roaming).
Does turning off 802.11r mitigate the issue, or does it eliminate the issue?  Semantics, but extremely important semantics. 

If vulnerabilities exist on both sides of the 4-way handshake, and vendors need to patch them to make them secure (and Ruckus uses WPA)... ???  The blog post and the official statement appear to be contradicting each other.  I'd prefer NOT to go back and tell my bosses that I was wrong with what I told them last night.

Thanks,

1 Message

 • 

80 Points

3 years ago

So do users need to have some support contract to work with a ZD1105?

7 Messages

 • 

306 Points

3 years ago

Ruckus, where are the firmware updates?! This is a pathetic response.
Almost every other manufacturer has firmware fixes available and you don’t. Even Netgear does for their consumer routers!
It is beyond belief that you clearly did not take this seriously, and STILL don’t it would seem.
Time to dump Ruckus. This is not an enterprise product, and certainly not enterprise level support.

222 Messages

 • 

3.6K Points

3 years ago

My issue is more a fact that the advisory doesn't state when a fix will be available. How can i go to my customers with anything unless i can give them a timescale on firmware patch?

25 Messages

 • 

474 Points

3 years ago

This is my first touch with Ruckus.
A month ago, I inherited a position in a company where the wireless network is done with 6x Ruckus R500 Wireless APs.
Yesterday I contacted Ruckus support and they promised firmware by the end of the day. I have to say, that first impression I got from Ruckus is not an enterprise class and will probably move to ubiquiti.

90 Messages

 • 

1.8K Points

Well, you better get used to reboot your AP's from time to time then..

25 Messages

 • 

474 Points

I have no problem rebooting APs every now and then. I do have a problem not knowing if/when my network is secure.

222 Messages

 • 

3.6K Points

Just to be clear here, any Ruckus update will not secure your network. It will fix KRACK vulnerabilities with regards to mesh and the use of 802.11r. There are much broader steps that are required to ensure your networks are secure like updating all clients to ensure they have had their respective KRACK patches applied, after all the majority of the vulnerabilities are client based. You should also look at implementing an WIDS/WIPS system (be it the embedded solution of a controller or standalone) to alert against malicious rougue AP's as this will be a tell tale sign of a potential attack using KRACK.

Here is a good URL on availability of client device patches: https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

25 Messages

 • 

474 Points

Patching APs against vulnerabilities is a part of a network security. I don't see Ruckus delivering.

16 Messages

 • 

482 Points

Robert, it doesn't matter if they own the whole picture or not, they have demonstrated they don't care about ANY of it.

7 Messages

 • 

306 Points

3 years ago

hi,

I have read the Ruckus Security Advisory and also
https://theruckusroom.ruckuswireless.com/wi-fi/2017/10/16/commonsense-approach-uncommon-problem/ and many other stuff.

This all show ruckus in a very bad light. Can we still trust?

Ruckus was informed many weeks/months ago about this issue and the disclosure date.

But the customers was left alone!!

I was informed since two day's (CET timezone) about this issue. I waited for
the public disclosure yesterday and opened a case at ruckus cause no information
about it was found online.

All other major vendors did have the updates ready and informed their customers
at the same time the issue was going public. They had their communication ready
and send it out to their partners and customers at the right time.

Ruckus didn't they don't even inform the partners!!

What I as customer with contract and as partner has expected:

1. No out of office notification if someone mails to your security contact ([email protected])
   This E-mail has to go to an high priorized and monitored queue in an ticket
   system,

2. That your support people and partners would inform one or two day's before
   the public disclosure.

3. That you have the right communication for all your customers ready and put
   it in the right time on the right places (webside, newsletter, twitter...)

4. That you have your firmware fixes ready to deploy and if it is possible
   some advanced monitoring ready for this issue and for broken clients.

What I now expect:

1. really fast update availability, even for older systems and without contract*

2. transparent communication what went wrong and why

3. better documentation and reporting how to fix the problem in our company's,
   not even on the wireless system side:

    * How to detect clients with this problem
    * For which clients are updates available


I'm located in germany, the public  disclosure was now nearly 24hour away,
even the radio stations here  broadcast informations about this issue faster
then you.

At this morning the German Federal Office for Information Security has send out
an public announcement that all people should update their clients and
accesspoints / routers if possible or contact their vendors for updates.

The phones are ringing with customers, cto's and so on. All want to have a
status about this issue and a dead line then it is fixed.

Yes the major problem are the client's, but the accespoints and controllers
should be fixed also and I expect that I get some help from my wireless system
to detect the problem on the clients if I have a managed wireless solution
not one single accesspoint.

Our company has already rolled out the patcheѕ for our clients.
Even microsoft has the patches already in place.

For me it looks like ruckus has ignored the advisory and now the
try to react on it. This has nothing todo with enterprise support!!

There is absolute no excuse for this!!

For me the trust in your security support is gone, and there must
be very good arguments that we will stay with ruckus after our contract
ended.


* cause how it was happend (see what I expected)

25 Messages

 • 

474 Points

Amen to that.

90 Messages

 • 

1.8K Points

Yes, they could have been out faster - but as the statement now say, it's only an issue if you turned on 802.11r on your SSID's or use Mesh networks (which, I hope, you don't).
How can you ask Ruckus to list what clients are affected??
Calm down, and be professional - there has been tons of security issues in IT in the past, and the world is not ending due to that.

If you have customers that rely on WPA only, then they deserve to be under attack.

20 Messages

 • 

344 Points

I"m sorry, but I don't agree with this. No one in this thread has asked Ruckus to list what clients are affected. The issue most have is Ruckus took so long to even acknowledge there was an issue. 

90 Messages

 • 

1.8K Points

@Steven.
Yes, the post above, in which this is a reply to, asks:
* How to detect clients with this problem
* For which clients are updates available
Ruckus can never be the one to provide that info.

34 Messages

 • 

708 Points

btw there is github repo maintaining a list of vendor responses: https://github.com/kristate/krackinfo . Go to Vendor Response Matrix and see client updates.

Regards, 
Alex

8 Messages

 • 

170 Points

3 years ago

Does anyone know how 7731 bridges are affected by this?
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

For 7731, P300, and mesh deployments, there is noknown workaround for CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,CVE-2017-13080, and CVE-2017-13081.  However, because Ruckus products useCCMP for Mesh and bridging connectivity, exploitation of these vulnerabilities ismade significantly difficult, as per Section 6.1 of the KeyReinstallation Attacks: Forcing Nonce Reuse in WPA2 report.  

2 Messages

 • 

90 Points

Regarding 7731: So there goes an otherwise fully functional, still going strong, work horse bridge between our two offices? Discontinued product = no patch?

Or..?

 

8 Messages

 • 

170 Points

The 7731 has reached End of Sale but has NOT reached the End of Software Development.  Ruckus owes us a patch for the 7731's.

20 Messages

 • 

344 Points

I would like an update on this for the 7731 as well. The Security Advisory only mentions a patch for the P300, nothing about the 7731. 

2 Messages

 • 

90 Points

They've updated the bulletin to include the 7731. No date set for the fix but it is on the list.
https://ruckus-www.s3.amazonaws.com/pdf/security/faq-security-advisory-id-101617-v1.2.txt

3 Messages

 • 

190 Points

3 years ago

Open-Mesh announced they will have a firmware upgrade this afternoon (10/17/2017). Open-Mesh, the product which gives a you free lifetime license for their cloud controller, you just need to purchase the hardware. Not sure why it's taking Ruckus so long.

12 Messages

 • 

292 Points

3 years ago

Ruckus, you better get your crap together and resolve this. You're already being snickered at in a few of the sysadmin mailing lists I'm part of.

In a couple more days those snickers are going to turn into turn into something much more damaging. Because you're such a big player in the wifi market, you're already getting mocked for not having a fix ready when it was announced, but at least right now you're lumped in with tons of other companies.

As the days go on those other companies are going to deliver their patches and you're going to be left out in the rain, tossing excuses and copy pasta to frustrated sysadmins with leftover end of year budgets they'll rightfully decide to spend somewhere else.

We love our Ruckus products but your lack of progress in this matter means to be secure, we may have to turn off our products, and we can't have that in our organization, so we're simply forced to switch vendors.

1 Message

 • 

146 Points

3 years ago

Is it safe to assume that Ruckus doesn't give a damn about their paying customers right? Since the patches are no were to be seen... I would like to ask the community for Ubiquity recommendations since we'll most likely be moving over.