allan_grohe's profileBrand User
Employee

Employee

 • 

64 Messages

 • 

1.3K Points

Tue, May 11, 2021 6:06 PM

FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

At 11:00am PDT today, the Wi-Fi Alliance announced a new Wi-Fi security vulnerability, FragAttacks.

The FragAttacks - RUCKUS Technical Support Response Center is our central web page that brings together all of the RUCKUS-related information you need to address FragAttacks, including:

In addition, the RUCKUS senior technology leadership has prepared resources to explain the nature and impact of the FragAttacks vulnerabilities, including technical blogs, videos, and podcasts.  These are all linked on the FragAttacks - RUCKUS Technical Support Response Center web page.

Please use this thread as a central location for your FragAttacks questions and concerns.  Doing so will help to ensure that we can respond as quickly as possible to your issues as you raise them. 

Thank you!

Allan Grohe

Allan.

==

Allan T. Grohe Jr.

Knowledge Management Program Director
for RUCKUS Customer Services & Support

Responses

Official Solution

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

4 m ago

Hi All,

As of today (12th May 2021), fix is available for below products/versions.

For other products/versions, please follow FragAttacks technical support page.

Platform Release Target Patch Release Date Download link and exact fix version
RUCKUS SmartZone and
Virtual SmartZone
5.2.2 11-May-21 AP Patch 5.2.2.0.1016 must be applied to 5.2.2 GA controller version 5.2.2.0.317
RUCKUS ZoneDirector 10.4.1 10-May-21 ZoneFlex 10.4.1.0.257 (GA Refresh4) Software Release for ZD1200
RUCKUS Unleashed 200.9  10-May-21 Click here >> Go to Download >> Find your desired AP model and respective download link for 200.9.10.4.243 version

Note: Release notes may not have the information of FragAttacks fix, we will update release notes soon.

(edited)

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

In addition to my previous comment, we are also updating our FragAttacks Technical Support Page and direct download links are also available there.

(edited)

Regards,

Syamantak Omer

4 Messages

 • 

96 Points

Any plan to patch or advise for ZD 1100 & ZD 3000?

Thanks.

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

Hi Hendri,

Please refer the support page and check if you can upgrade to closest supported firmware version.

For ZD1100, we are checking with concerned team.

As of now, you can upgrade to below versions (once available) to fix the issue.

Regards,

Syamantak Omer

4 Messages

 • 

96 Points

Thank you! Much appreciated!

Official Solution

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

4 m ago

Hi All,

Fix for Unleashed 200.7 has been released on our support site.

For different AP models, Unleashed 200.7.10.202.127 MR6 software images can be found on below link.

https://support.ruckuswireless.com/software?query=200.7.10.202.127

Our FragAttacks support page also updated with this information.

https://support.ruckuswireless.com/fragattacks-ruckus-technical-support-response-center

Official Solution

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

4 m ago

Hi All,

Fix for SZ/vSZ 6.0.0 as an AP patch was released on our support site (on 23rd May 2021).

Below is the link for the AP patch.

https://support.ruckuswireless.com/software?query=6.0.0.0.1640

Instructions to upload the patch can be found here and instruction to change AP zone firmware can be found here.

Our FragAttacks support center page also updated with this information.

Official Solution

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

3 m ago

Hi All,

Fix for SZ/vSZ 3.6.2 as an AP patch (3.6.2.0.788) has been released on our support site.

Below is the link for the AP patch.

https://support.ruckuswireless.com/software?query=3.6.2.0.788

Instructions to upload the patch can be found here and instruction to change AP zone firmware can be found here.

Our FragAttacks support center is not updated yet with this info, we will get it updated soon.

(edited)

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

FragAttacks support center page has been updated with this information.

Regards,

Syamantak Omer

Official Solution

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

2 m ago

Hi All,

Fix for SZ/vSZ-FIPS 5.1.2.3 has been released on our support site.

Below is the link for all the software downloads and documents.

https://support.ruckuswireless.com/software?query=5.1.2.3.1232

https://support.ruckuswireless.com/software?query=5.1.2.3.1232

Our FragAttacks support center page also updated with this information.

40 Messages

 • 

778 Points

4 m ago

I see that the required update for ZoneDirector is Premium Support Only. The previous 10.4 update (238) was also Premium Support Only.

Is it now Commscope policy that paying for Premium Support is required to have a safe network?

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

We are looking into this and will update soon.

Thanks for the patience and cooperation.

Regards,

Syamantak Omer

19 Messages

 • 

376 Points

@syamantak_omer 

Same issue and question for the lastest unleashed patch as well as the release notes are also behind a paywall. 

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

Hi Harold,

For Unleashed, you can upgrade directly from OTA server, once firmware is available.

Regards,

Syamantak Omer

Brand User

Employee

 • 

64 Messages

 • 

1.3K Points

I have updated all of the FragAttacks-related software images and release notes to be available to "All Users" instead of "Premium Support Users" only.

I apologize for that oversight:  it was our intention when all of the files went live yesterday that they be available to all users, but the IT database publishing update also overwrote the All Users permission with the Premium permission. 

Allan.

Allan.

==

Allan T. Grohe Jr.

Knowledge Management Program Director
for RUCKUS Customer Services & Support

437 Messages

 • 

5.5K Points

4 m ago

Hi,

I want to emphasize, that normally new firmware can't be installed if ZD isn't under active support. In Release Note is stated that for some time this check is suspended, to allow patching all systems, with or without support.

It is really very responsible step from Ruckus and must be clearly stated in BIG LETTERS on the same page with list of download links to encourage immediate action! 

What about version 9.8-9.9 --  as Ruckus APs have a very long useful life, there are still many 802.11n networks in operation and even 802.11g - it is extreme, but there is a network with ZF2942 APs (in 4star hotel, installed by us in 2007, and still "good enough not to be replaced yet" for hotel management!). Of cause, these networks have no support, as they can't upgrade to the latest versions anyway (APs and even controllers are not supported).

Are there any plans to get patches to version 9.9 or similar, which allows managing older APs? At least for version supporting ZF7372/52, ZF7982, etc.

I know that it is better to replace them, but it is not going to happen for quit a while.  As far as 802.11n service is still acceptable, they will stay around, secure or not.

There is, of cause, question about patch efficiency --  as you can never guarantee that all devices connected to network are patched, is patching a network really efficient? I understand, that without patching APs, you can't fix the vulnerability at all, but if there is a big part of unpatched clients,  will this provide any real improvement?

For really critical networks -- is there a way to block vulnerable clients on WiFi level, or the only chance for that is NAC?

(edited)

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

Hi @eizens_putnins ,

Most of the queries above are already answered in our FragAttack support page.

Please refer the page from here.

I am trying to answer a few queries here.

  1. Yes you can upgrade the ZD even if you don't have support entitlement. Try to sync license online from ZD, or reachout to support and request for temporary entitlement.
  2. Without patching APs and clients, fix is useless, so yes, both side devices needs to be patched.
  3. However, there are some vulnerabilities which can be patched just by APs but not all, hence patching both sides is strongly recommended.
  4. It could be hard to patch already EOS/EOL devices. I am still checking this internally.

You can refer detailed information on FragAttach support page.

(edited)

Regards,

Syamantak Omer

10 Messages

 • 

150 Points

Just to clarify, because the FragAttacks report is really that complex and complicated. The report contains 12 distinct vulnerabilities and some are targeted at APs, some are at clients, and some are at both. To prevent all 12 CVE's contained in the report, both APs and client devices need to be patched. Patching just the APs will prevent some of the vulnerabilities, but not all of them. It will, however, reduce the attack vectors available, especially with older client devices that might not get patched thanks to a lot of different factors.

For those critical networks, refer to this page from the support site for additional help https://www.commscope.com/fragattacks-commscope-ruckus-resource-center/wifi-fragattacks-what-you-need-to-know/

For those who want to get even more into the attacks, you can also check out this post-https://jimswirelessworld.wordpress.com/2021/05/11/fragattacks-just-reinforces-the-it-depends-complexity-of-wi-fi/ 

4 Messages

 • 

96 Points

Just FYI, as informed by syamantak_omer, I could upgrade the ZD even if I don't have support entitlement. Just download the img file, then upgrade. Mine automatically given 30 days Support after the upgrade.

Or contact Support where they'll give grace period support file to upload to ZD.

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

Hi @hendri_marzuki ,

Thanks for the feedback and good to know that you were able to upgrade your ZD.

Regards,

Syamantak Omer

4 Messages

 • 

96 Points

Thanks! I just hoping there will be patch for ZD1100, as the latest FW is version 9.10.2.0.130. 

Another thing, we still have ZF7363 in operations which make it difficult to upgrade to FW 10 that has the patch. Finger crossed.....

11 Messages

 • 

198 Points

4 m ago

I see firmware branch 10.3.x isn't mentioned. We have a ZD 1200 with R700 APs on this branch.

Any mention releasing fix for the 10.3.x ZD branch?

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

Hi Alaxander,

Could you confirm how many APs you have on this ZD1200?

Regards,

Syamantak Omer

11 Messages

 • 

198 Points

Only 3 APs, and all three are R700. hence why i'm on the 10.3.x branch (R700 isn't supported on 10.4.x)

14 Messages

 • 

320 Points

4 m ago

Goodnight,

Will the 7300 series be included in this patch, specifically the 7351?

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

Hi @s61 ,

Please check the FragAttach support center page for all the possible fixed software versions.

In case of any new versions is getting fixed, it will be updated on the support center page.

Regards,

Syamantak Omer

14 Messages

 • 

320 Points

Okay, thank you!

1 Message

 • 

60 Points

4 m ago

Hi

I'm on ZD1200 10.1.2.0 build 318 , because i have many R300 and version 10.2 don't support this AP.

Do you  have plan to release a 10.1 version for Fragattacks ?

Thanks.

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

Hi Olivier,

We are under discussion with internal team and we will update more info by early or mid next week.

Your patience and cooperation is appreciated.

Regards,

Syamantak Omer

9 Messages

 • 

200 Points

4 m ago

Does 200.10.10.5.229 firmware include the FragAttacks mitigations?

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

Hi Lenno,

Yes, it has fix inbuilt.

Regards,

Syamantak Omer

3 Messages

 • 

80 Points

3 m ago

Hi, has the AP patch for SmartZone versions 5.1.2.3 and 5.2.1.3 been delayed?

The FragAttack Support Center page says the target release date for these was the 16th of June but I cannot locate anything new in the Downloads section for SmartZone.

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

Hi Elliot,

There is some delay in delivering the pending patches, we are working continuously with chip vendor to get the fix released as soon as we can.

We will update the page with new dates for pending patches.

We appreciate all the patience and cooperation!

Thank you.

Regards,

Syamantak Omer

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

Hi Elliot,

New target dates has been updated.

Regards,

Syamantak Omer

3 Messages

 • 

80 Points

Thanks Syamantak.

Did you put the correct date? If so, it's wrong again. :-)

Brand User

Employee

 • 

64 Messages

 • 

1.3K Points

Engineering is squeezing in some additional fixes, so I've just updated the release dates for the SZ/vSZ 5.1.2.3 and 5.2.1.3 FIPS releases to 7 July.

And do please note that these are FIPS releases, not standard SZ/vSZ releases. 

Allan.

Allan.

==

Allan T. Grohe Jr.

Knowledge Management Program Director
for RUCKUS Customer Services & Support

3 Messages

 • 

80 Points

Are there any plans for a non-FIPs AP patch for 5.1.2.3 and 5.2.1.3?

3 Messages

 • 

90 Points

1 m ago

I have the this scenario:
Ruckus Virtual SmartZone - High Scale
Controller Version 5.1.1.0.598
My question is, Do I have to upgrade my controller to 5.2.2 to apply the scg-ap-5.2.2.0-1016.patch (frag attack patch)?
Thanks!

Official Rep

 • 

1.2K Messages

 • 

16.6K Points

@camilo_avancini apply the latest AP patch 5.2.2.0.1026.

https://support.ruckuswireless.com/software_terms_and_conditions/3085-smartzone-ap-patch-for-post-5-2-2-gd-refresh

Same information is given on FragAttacks support center page.

 

Regards,

Syamantak Omer

Important Announcement