Skip to main content
Brand User

Wed, Oct 18, 2017 11:48 PM

WPA2 KRACK Questions & Answers - Resource page

Greetings,

    Much concern about possible impact of announced WPA2 KRACK vulnerabilities, and Ruckus would
like to provide information and answer your related questions.  Please view the WPA2 KRACK support
resource center page:

https://support.ruckuswireless.com/krack-ruckus-wireless-support-resource-center

   There are knowledge base articles that describe Rogue Detection, and details on checking 802.11r
enable/ disable state, link to a TME blog on the problem, and industry links related to WPA2 KRACK flaws.
Information regarding specific platform firmware patch release availability will be provided shortly.

Responses

20 Messages

 • 

344 Points

3 years ago

Is there anything on the 7731 bridge? The only thing listed in the patches is the P300 bridge. 
For the 7731
End of Software Development & Maintenance: October 31, 2017

824 Messages

 • 

13.2K Points

steven...
since ZF7731 does not use mesh and 802.11r...  hence this product is not vulnerable..

20 Messages

 • 

344 Points

I don't believe that is correct. The non-root bridge behaves just as a client would, and an attacker could force a channel change then intercept the new 4-way handshake. 

Also, if bridges aren't affected why is the P300 being patched...
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

Monnat is correct. P300 algorithm *is* based on Mesh, zf7731 is not, but.. they do behave like a client-AP and uses 4 way handshake.  We will need to patch the client side code in 7731 too. Still, lock down your channels and protect physical proximity. 

20 Messages

 • 

344 Points

That's good to know, I appreciate it. You mention locking the channel, I was unable to find a setting within the GUI and the guide doesn't mention it that I have found. Is this a CLI only command? If so can you point me to some documentation on it?
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

I just created a public visible KBA-6480 with this content:

If you have been instructed to "lock down" the 7731 point to point bridge frequency channel,
you can view the current channel in use, and configure the bridge to stay on this channel.

Figure 1:  Status::Wireless

Current channel in use is Channel 100, and the 7731 is currently set for SmartSelect channel algorithm.

User-added image


Figure 2:  Configuration :: Wireless :: Root Bridge

Use the Channel drop-down list to find the Channel 100 currently in use and click on it.
This will keep the Root Bridge AP setting on Channel 100.  (SmartSelect is default).

User-added image
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

3 years ago

While mgt determines how to provide a 9.2 version patch, you aren't at much risk since clients who can be compromised aren't likely connecting to your PtP bridges... 

20 Messages

 • 

344 Points

3 years ago

This bridge provides internet to a building that contains our HR department. Anything greater than 0 is considered a risk. 
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

If the bridge or mesh AP channel is static, the AP is not vulnerable to MITM attack, which is a necessary part of the replay attack.  Find your best PtP link channels, and lock them down for 0 risk.
Brand User

Employee

 • 

25 Messages

 • 

630 Points

3 years ago

We have updated the KRACK - Ruckus Wireless Support Resource Center page with the following additional technical information and documents:
  1. Current schedule for patch release dates for the following products:  P300, SmartZone, Ruckus Cloud, Unleashed, Xclaim, and ZoneDirector
  2. KRACK WPA/WPA2 Vulnerability Mitigation "Cheat Sheets" for the following products:  Unleashed, vSZ 3.5 (vSZ-E, vSZ-H, SZ-100), vSZ 3.4 (vSZ-H, SCG200, SZ300), and ZoneDirector
Allan.

2 Messages

 • 

74 Points

It would be nice if KB articles referred to here did not have "To access that KB Article please upgrade your support account" level access. Open them up.
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

You're correct Lawrence, thanks. 

I've set the relevant KBAs open to Public viewing, and they should be visible to guests after the next 6hr Support site update period.

2 Messages

 • 

74 Points

Thank you. Long time Ruckus AP user for my home (!) and non-profit political campaigns, so don't pay for any support :).
Brand User

Former Employee

 • 

2.6K Messages

 • 

44.8K Points

Our Forum Community can help you out with most anything but bugs.

19 Messages

 • 

290 Points

Michael Brado, the Target Patch Release Date https://support.ruckuswireless.com/krack-ruckus-wireless-support-resource-center for ZD version 10.0.1 is 30 october 2017.
It is now 30 october end of business day in europe but i do not see any download links or updates that the patch has been postponed. 
When are the download links available for public ?
 

Brand User

Employee

 • 

25 Messages

 • 

630 Points

3 years ago

New content for the KRACK Resource Center web page:  KRACK Explained - YouTube video

Allan.

16 Messages

 • 

244 Points

3 years ago

What about stand alone AP's? Are the latest stand alone firmware updates patched?