Skip to main content
marko_teklic's profile

Mon, Oct 16, 2017 6:27 AM

Answered

Severe flaw in WPA2 - cracked

Responses

66 Messages

 • 

1.2K Points

3 years ago

I'm sure this will not be a popular comment but, I think some of these comments are blown way out of proportion.  I also am not happy about Ruckus's delay of response and available firmware updates given the lead time they've been given.  But they don't have it.  I wouldn't apply the new code immediately anyway until some of you bled on it.  I'm willing to bet that most of us have bigger security issues to deal with than a proof of concept hack on a single device, which requires them to be physically on-site, setup a rogue AP and write there own code for the exploit, as the code to exploit the vulnerablity isn't in the wild, then they might gain access to someones facebook feed.  LOL

In addition can I borrow some of your budget dollars so I can jump vendors whenever I'm unhappy with their performance.  Thats a luxury that I cannot afford, time or money wise.   :)

16 Messages

 • 

482 Points

I hope you don't work in an industry where you need to meet compliance or privacy regulations Todd, because the effort or proximity required for the attack doesn't mean anything at all to the overseeing organizations. I would imagine folks interested in taking advantage of this already have a wifi pineapple and a kali linux machine - maybe even some code to work off of now that smarter nerds know exactly how this all works. It's not hard to make a business case to deploy new WAPs when you already own the expensive ones from the vendor that is slow to respond to security incidents.

222 Messages

 • 

3.6K Points

Hi Jesse, please don't take this comment as me defending Ruckus, it isn't, but if you are 'unlucky' enough to work in a sector that requires yo to meet privacy and or compliance regulations then you most likely have a fully functioning and very highly tuned WIDS/WIPS which will give you more protection to this issue than some of the other guys posting on here. 

On the basis that all this vendor bashing seems to be falling on deaf ears, on the basis that no one other than Michael from the vendor has bothered to comment on their own forum and we still dont have a patch. I would suggest that the tit for tat between users is pointless.

Remember, we all want the same thing.

Maybe we would be better spending our time offering advice to each other on how to mitigate the threat in the meat time until a patch is released because ultimately, it will come out before anyone on this thread has a chance to switch vendor.

16 Messages

 • 

482 Points

Robert,

I'm not "unlucky" because I have regulations to keep in mind. You would be lucky if your users just browse Facebook all day like Todd. Just because you are subject to regulations doesn't mean you have additional budget/staff to put a WIDS/WIPS in place, they typically spend that on a robust properly configured AP (that gets timely support). In our case we don't administer every customer network post sales cycle. The only thing more frustrating than how Ruckus has handled this is the people trivializing their commitment to the issue and it's resolution.

Follow me here... Their official release plays down the vulnerability and then says:
"Ruckus will be releasing security patches to address all above mentioned vulnerabilities. It is recommended that customers upgrade their network(s) with these patches as soon as they become available."

If it isn't a big deal, and doesn't affect your customers, why patch it at all - ever? Because it IS worth fixing... Sometime... When you decide to switch partners in this case, it's not because a patch isn't available at that moment, it's because of the damage done.

222 Messages

 • 

3.6K Points

Hi Jesse, apologies if i offended you, my comment was not meant to. There may be a few people trivialising this issue but no more than there are people blowing out of proportion.

This is my opinion:
Is it a valid vulnerability? Yes.
Does it need to be patched? Yes.
Even after the patch is the full threat nullified? Not unless you have 100% governance over every client on your WLAN's and can ensure they are all patched.
Is it relatively difficult to actually take advantage of? Yes.
Even if you are attacked, is it likely to cause a large scale security breach? Unless you are unlucky enough to have them capture traffic on a single MiTM attack for a user who is sending sensitive data upstream on an unpatched client, in an areas serviced by unpatched mesh AP's or a WLAN configured with 802.11r, no.

I appreciate it is annoying, and i have had to answer questions today from my customers about how long it has taken Ruckus to post an advisory and how long it will take for a patch but thats part of being in tech. There's a serious security treat almost every month, this month its WiFi's turn. 

Yes Ruckus' comms haven't been what would be expected of a top enterprise WiFi vendor, and im sure that many of us will be having conversations with our reps over the coming days but hopefully they will learn from this. 

16 Messages

 • 

482 Points

Robert,

None taken really, and I agree with your points above. I think it's another question of industry whether or not the big issue is if you could potentially snoop something significant in clear text to bring down the organization. In our case it isn't really about that.

The thing about regular security threats in IT is that you typically spend your money with folks you expect to fix things in a timely manner and exhibit exceptional communication. I don't think we hit either of those marks as we can both agree. So do you stick with somebody that predominately works in the industry they have a lackluster response in? Is this due to all the mergers, etc that have happened over the past year with them? I don't know, nor frankly do I care. I expect more from the company than device up-time.

Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

3 years ago

Thank you valued Customers and Partners for your patience as final action plans have been worked out.

(In response to questions such as “where is my patch” and “why is this taking so long”?)

 

Providing patches for affected products is our first concern and we understand its urgency to your business. We expect patches for most firmware releases to be available on October 30th, with all patches to be completed by November 15th. In the interim, the following steps will minimize risk:

-  Disable 802.11rwherever enabled. This step eliminates the short-term need for patches to Ruckus infrastructure in all but the two scenarios described below.

-  Enable rogue detectionmechanisms and ensure clients connecting to a rogue AP are de-authenticated.

-  Patch client devices asthose patches become available. Unpatched clients will continue to be a risk tonetwork security, regardless of what other steps are taken.

 

With the above steps taken, two Ruckus use cases and products continue to pose a network security risk: meshed APs and point-to-point links. That risk is minimized through use of rogue AP detection and subsequent corrective action.

 

Full protection against KRACK will be assured once all infrastructure software has been updated (and 802.11r re-enabled) and all clients have been updated.

 

Note: Ruckus will provide software updates to anyone requesting them, regardless ofsupport contract status.

65 Messages

 • 

1.2K Points

Really? Sometime between October 30th and November 15th? Ruckus had known about this for how long? Has Ruckus bothered to see how quickly their competitors got patches out? Impressive to see how succinctly the ball has been dropped here.

7 Messages

 • 

306 Points

Hi Michael,

have you seen my statement to this issue.  I think your statement can be the seen as first step to bring it on track. Especially:

"
Note: Ruckus will provide software updates to anyone requesting them, regardless of support contract status."

Plese take a look at my posting:

https://t.co/uVikcz9kRF

Can you give some statements to this?

Now tthe problem exists that ruckus was not ready for this problem. So let us not do
the fingerpointing let us find solutions. As described in my posting I see some expections:


1. really fast update availability, even for older systems and without contract*

2. transparent communication what went wrong and why

3. better documentation and reporting how to fix the problem in our company's,
   not even on the wireless system side:

    * How to detect clients with this problem
    * For which clients are updates available


You have us shown point 1 about the speed we can discuss but it is
necessary that the patches are stable and working. So If you have startet with
the development too late the dates you announced are fine from my point if view.

Now my points 2 and 3 is missing. Can you tell us something about it and can you make it public please?

To get the trust from your userbase it is necessary to show us what went wrong and why and what will be take in place to prevent this happening the next time.

1 Message

 • 

60 Points

Note: Ruckus will provide software updates to anyone requesting them, regardless ofsupport contract status.

How exactly would this happen, should I open a ticket for our contract-less ZD5000 controllers, and Ruckus will provide update images?

37 Messages

 • 

592 Points

3 years ago

Disappointing response from Ruckus. If other major vendors were able release a patch after lifting the embargo, why can't Ruckus? Disabling 802.11r mitigates risk for now but I've deployed many Mesh APs on one of our clients because of structured cabling challenges.

20 Messages

 • 

344 Points

3 years ago

I'm just surprised they didn't push it off on a VAR to fix, that's what they have been doing for support at my company :D 

16 Messages

 • 

410 Points

3 years ago

@Michael Brado

As per your earlier statement "Note: Ruckus will provide software updates to anyone requesting them, regardless of support contract status"

Can you please explain the process of how to perform software updates on ZD's with expired contracts.  Who we may have to contact etc etc.

I have the following ZD's i'd like to upgrade when the patches are made available approx. Oct 30.
ZD 1106 9.8
ZD 1200 9.9
ZD 1200 9.13
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

Hi All,

   The WPA2 patch firmware will also be provided to customers who don't currently
have active support contracts, * but you will need to create a "Guest" account on our
Support portal.  Please do this in advance if you don't have one now.

   All Guest users should to be able to access/read the Ruckus Warranty and Software
License Agreement on our Programs page for example, which is Published with Available
to Anyone status:
https://support.ruckuswireless.com/programs 

   Login and test the above link, or if prompted to login, please Register with us here:
https://support.ruckuswireless.com/registration

   First patch firmware will be made available on Monday (10/30/17). Thanks and best 
regards.

222 Messages

 • 

3.6K Points

Hi Michael, you say that "firmware will be provided to customers who dont currently have active support contracts" but i see no mention of this in the RN's. So, for example, how would i go about applying 9.10.2 to a ZD that has expired support contract? I cant initiate the upgrade because i have an expired support entitlement file on the controller.
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

ZD firmware with WPA2 patches are not restricted to Premium support accounts.  Just create a guest account on our Support site to download them.

Licensing/Entitlement that is ordinarily enforced in order to perform an upgrade on a ZD, that checks with our server, will provide No Entitlement Required
for 30 days.

All current ZD customers can take advantage of this opportunity for upgrades.

Please try an upgrade Robert, and confirm you could do so ok?  (meaning our 30 days open entitlement is working)

222 Messages

 • 

3.6K Points

Thanks Michael, I'll get this checked out. Just a couple more questions on this if its ok:
When did the 30 days timer start?
For the entitlement check, what if the ZD doesn't have access to check with the server and the local license file has expired? 

Realize im throwing curve balls but we have multiple customers who all have very different scenarios. 

16 Messages

 • 

410 Points

I thought I'd update my question with my own answer and explain the process I had to perform on the ZD's without support contracts so I could patch them for the krack attack.

I contacted Ruckus Support via https://support.ruckuswireless.com/contact-us I started an online chat session and explained the scenario.  The rep I originally spoke to said he would have to escalate it to the engineers and someone would contact me.  Within a very short period of time (can't recall but it was fast), someone reached out to me via email to let me know they'd contact me by phone in 15 mins.  I explained the situation, then replied to their original email with my ZD serial numbers.  

They replied a short time later with 3 entitlement files (aka support contracts) and I could upload those to the Administer >> Support tabs on each ZD.

Two of the entitlement files were for one day only (they were the oldest ZD's I had without a support contract.  I had to follow the support path which mean updating from 9.8.x -> 9.9.x ->9.10.x -> 9.12 -> 10.0.1.0 (or something very similar, refer to the update documents to see the exact path you need to follow)

The rep told me they would expire in one day whether or not I would use them and he wanted me to perform the first update with him over the phone so he knew it was going to work.  Once I performed the first update successfully I let the rep go so I could let him assist other people.  It took a bit of time to follow the support path but I was able to successfully upgrade the ZD's without support contract thanks to the Support Team at Ruckus. 

The ZD's support contract expired on the next day but everything was up to date.  The third support contract was for a bit longer, but none of them was for 30 days.

I have to say, I am not a fan of the 10.0.x UI... I really miss the dash board with all the important info like Serial Number, Software Version, Up Time and the customized widgets we could setup.  The important factor is the systems are now protected.

Regardless, the updates were successful thanks to Ruckus for letting us do that!

222 Messages

 • 

3.6K Points

3 years ago

Interested to know if anyone has had any response from Ruckus about older versions of code and if patches will be available. Their official announcement on when a patch will be available only goes back to 9.10
https://support.ruckuswireless.com/krack-ruckus-wireless-support-resource-center?_ga=2.221041560.149...

90 Messages

 • 

1.8K Points

Do you have anything running that will not support 9.10?

Edit: Would be if you have ZoneFlex 7025 AP's running... 

222 Messages

 • 

3.6K Points

Yes, i know of a couple of customers which are 9.7 and also do not have software support.

90 Messages

 • 

1.8K Points

And if Ruckus provide an upgrade for free to 9.10, your only concern is: Are there any AP's running on their systems that is not supported on 9.10..

222 Messages

 • 

3.6K Points

If upgrade to 9.10 is free. My concern is how to get the customer to 9.10 if they have unsupported AP's like 7025. Especially as there is no longer the 7055 which was a halfway house in the respect that it was supported on older versions and spanned the gap to H500. 

90 Messages

 • 

1.8K Points

I guess you will have to reach out to Ruckus when it's released on monday, if the path is not clear, and your customers are stuck on old systems.Or you have to explain your customers that they are on many-year-old systems that is simply way out of support.. and should be written off years ago.

Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

3 years ago

With an update on this thread, see current WPA2 KRACK patch relase details on the Support
Resource Center page:

https://support.ruckuswireless.com/krack-ruckus-wireless-support-resource-center

There are SmartZone updates for 3.1.2, 3.2.1, 3.4.2, 3.5.1, ZoneDirector 9.7.2, 9.8.3,
9.9.1 (12/22/17), 9.10.2, 9.12.3, 9.13.3, 10.0.1, Unleashed 200.5, Ruckus Cloud 17.01b42
Xclaim 2.2.0.0.39, and P300 100.1 and yesterday zf7731 9.2.0.0.181 for Point to Point bridges.

We've also posted SmartZone AP CLI scripts to diable EAPOL retries in zone versions
3.1.2, 3.2.1, 3.4.2, 3.5.1, and 3.6.0 to provide protection to vulnerable wireless clients.

- Michael