Severe flaw in WPA2 - cracked

I hope you don't work in an industry where you need to meet compliance or privacy regulations Todd, because the effort or proximity required for the attack doesn't mean anything at all to the overseeing organizations. I would imagine folks interested in taking advantage of this already have a wifi pineapple and a kali linux machine - maybe even some code to work off of now that smarter nerds know exactly how this all works. It's not hard to make a business case to deploy new WAPs when you already own the expensive ones from the vendor that is slow to respond to security incidents.

Hi Jesse, please don't take this comment as me defending Ruckus, it isn't, but if you are 'unlucky' enough to work in a sector that requires yo to meet privacy and or compliance regulations then you most likely have a fully functioning and very highly tuned WIDS/WIPS which will give you more protection to this issue than some of the other guys posting on here. 

On the basis that all this vendor bashing seems to be falling on deaf ears, on the basis that no one other than Michael from the vendor has bothered to comment on their own forum and we still dont have a patch. I would suggest that the tit for tat between users is pointless.

Remember, we all want the same thing.

Maybe we would be better spending our time offering advice to each other on how to mitigate the threat in the meat time until a patch is released because ultimately, it will come out before anyone on this thread has a chance to switch vendor.

Robert,

I'm not "unlucky" because I have regulations to keep in mind. You would be lucky if your users just browse Facebook all day like Todd. Just because you are subject to regulations doesn't mean you have additional budget/staff to put a WIDS/WIPS in place, they typically spend that on a robust properly configured AP (that gets timely support). In our case we don't administer every customer network post sales cycle. The only thing more frustrating than how Ruckus has handled this is the people trivializing their commitment to the issue and it's resolution.

Follow me here... Their official release plays down the vulnerability and then says:
"Ruckus will be releasing security patches to address all above mentioned vulnerabilities. It is recommended that customers upgrade their network(s) with these patches as soon as they become available."

If it isn't a big deal, and doesn't affect your customers, why patch it at all - ever? Because it IS worth fixing... Sometime... When you decide to switch partners in this case, it's not because a patch isn't available at that moment, it's because of the damage done.

Hi Jesse, apologies if i offended you, my comment was not meant to. There may be a few people trivialising this issue but no more than there are people blowing out of proportion.

This is my opinion:
Is it a valid vulnerability? Yes.
Does it need to be patched? Yes.
Even after the patch is the full threat nullified? Not unless you have 100% governance over every client on your WLAN's and can ensure they are all patched.
Is it relatively difficult to actually take advantage of? Yes.
Even if you are attacked, is it likely to cause a large scale security breach? Unless you are unlucky enough to have them capture traffic on a single MiTM attack for a user who is sending sensitive data upstream on an unpatched client, in an areas serviced by unpatched mesh AP's or a WLAN configured with 802.11r, no.

I appreciate it is annoying, and i have had to answer questions today from my customers about how long it has taken Ruckus to post an advisory and how long it will take for a patch but thats part of being in tech. There's a serious security treat almost every month, this month its WiFi's turn. 

Yes Ruckus' comms haven't been what would be expected of a top enterprise WiFi vendor, and im sure that many of us will be having conversations with our reps over the coming days but hopefully they will learn from this. 

Robert,

None taken really, and I agree with your points above. I think it's another question of industry whether or not the big issue is if you could potentially snoop something significant in clear text to bring down the organization. In our case it isn't really about that.

The thing about regular security threats in IT is that you typically spend your money with folks you expect to fix things in a timely manner and exhibit exceptional communication. I don't think we hit either of those marks as we can both agree. So do you stick with somebody that predominately works in the industry they have a lackluster response in? Is this due to all the mergers, etc that have happened over the past year with them? I don't know, nor frankly do I care. I expect more from the company than device up-time.

Really? Sometime between October 30th and November 15th? Ruckus had known about this for how long? Has Ruckus bothered to see how quickly their competitors got patches out? Impressive to see how succinctly the ball has been dropped here.

Hi Michael,

have you seen my statement to this issue.  I think your statement can be the seen as first step to bring it on track. Especially:

"Note: Ruckus will provide software updates to anyone requesting them, regardless of support contract status."

Plese take a look at my posting:

https://t.co/uVikcz9kRF

Can you give some statements to this?

Now tthe problem exists that ruckus was not ready for this problem. So let us not do
the fingerpointing let us find solutions. As described in my posting I see some expections:


1. really fast update availability, even for older systems and without contract*

2. transparent communication what went wrong and why

3. better documentation and reporting how to fix the problem in our company's,
   not even on the wireless system side:

    * How to detect clients with this problem
    * For which clients are updates available


You have us shown point 1 about the speed we can discuss but it is
necessary that the patches are stable and working. So If you have startet with
the development too late the dates you announced are fine from my point if view.

Now my points 2 and 3 is missing. Can you tell us something about it and can you make it public please?

To get the trust from your userbase it is necessary to show us what went wrong and why and what will be take in place to prevent this happening the next time.

Note: Ruckus will provide software updates to anyone requesting them, regardless ofsupport contract status.

How exactly would this happen, should I open a ticket for our contract-less ZD5000 controllers, and Ruckus will provide update images?

Hi All,

   The WPA2 patch firmware will also be provided to customers who don't currently
have active support contracts, * but you will need to create a "Guest" account on our
Support portal.  Please do this in advance if you don't have one now.

   All Guest users should to be able to access/read the Ruckus Warranty and Software
License Agreement on our Programs page for example, which is Published with Available
to Anyone status:
https://support.ruckuswireless.com/programs 

   Login and test the above link, or if prompted to login, please Register with us here:
https://support.ruckuswireless.com/registration

   First patch firmware will be made available on Monday (10/30/17). Thanks and best 
regards.

Hi Michael, you say that "firmware will be provided to customers who dont currently have active support contracts" but i see no mention of this in the RN's. So, for example, how would i go about applying 9.10.2 to a ZD that has expired support contract? I cant initiate the upgrade because i have an expired support entitlement file on the controller.

ZD firmware with WPA2 patches are not restricted to Premium support accounts.  Just create a guest account on our Support site to download them.

Licensing/Entitlement that is ordinarily enforced in order to perform an upgrade on a ZD, that checks with our server, will provide No Entitlement Required
for 30 days.

All current ZD customers can take advantage of this opportunity for upgrades.

Please try an upgrade Robert, and confirm you could do so ok?  (meaning our 30 days open entitlement is working)

Thanks Michael, I'll get this checked out. Just a couple more questions on this if its ok:
When did the 30 days timer start?
For the entitlement check, what if the ZD doesn't have access to check with the server and the local license file has expired? 

Realize im throwing curve balls but we have multiple customers who all have very different scenarios. 

I thought I'd update my question with my own answer and explain the process I had to perform on the ZD's without support contracts so I could patch them for the krack attack.

I contacted Ruckus Support via https://support.ruckuswireless.com/contact-us I started an online chat session and explained the scenario.  The rep I originally spoke to said he would have to escalate it to the engineers and someone would contact me.  Within a very short period of time (can't recall but it was fast), someone reached out to me via email to let me know they'd contact me by phone in 15 mins.  I explained the situation, then replied to their original email with my ZD serial numbers.  

They replied a short time later with 3 entitlement files (aka support contracts) and I could upload those to the Administer >> Support tabs on each ZD.

Two of the entitlement files were for one day only (they were the oldest ZD's I had without a support contract.  I had to follow the support path which mean updating from 9.8.x -> 9.9.x ->9.10.x -> 9.12 -> 10.0.1.0 (or something very similar, refer to the update documents to see the exact path you need to follow)

The rep told me they would expire in one day whether or not I would use them and he wanted me to perform the first update with him over the phone so he knew it was going to work.  Once I performed the first update successfully I let the rep go so I could let him assist other people.  It took a bit of time to follow the support path but I was able to successfully upgrade the ZD's without support contract thanks to the Support Team at Ruckus. 

The ZD's support contract expired on the next day but everything was up to date.  The third support contract was for a bit longer, but none of them was for 30 days.

I have to say, I am not a fan of the 10.0.x UI... I really miss the dash board with all the important info like Serial Number, Software Version, Up Time and the customized widgets we could setup.  The important factor is the systems are now protected.

Regardless, the updates were successful thanks to Ruckus for letting us do that!

Do you have anything running that will not support 9.10?

Edit: Would be if you have ZoneFlex 7025 AP's running... 

Yes, i know of a couple of customers which are 9.7 and also do not have software support.

And if Ruckus provide an upgrade for free to 9.10, your only concern is: Are there any AP's running on their systems that is not supported on 9.10..

If upgrade to 9.10 is free. My concern is how to get the customer to 9.10 if they have unsupported AP's like 7025. Especially as there is no longer the 7055 which was a halfway house in the respect that it was supported on older versions and spanned the gap to H500. 

I guess you will have to reach out to Ruckus when it's released on monday, if the path is not clear, and your customers are stuck on old systems.Or you have to explain your customers that they are on many-year-old systems that is simply way out of support.. and should be written off years ago.