guest+pass

  • 1
  • Question
  • Updated 2 years ago
Here is the thing, on an ZD3050 with firmware 9.8.2.0 build 15 I have a couples of guest SSID's (say SSID1, SSID2 en SSID3); when we issue a new guest pass for SSID1 a visitor can use it to get internet access - everything works fine so far BUT the moment the visitor type the guest pass into the browser and click on "log in" a new page is generated which says "Authenticated" and a button "Continue" appears which needs to be pushed in order to browse further...But before clicking the "Continue" button one can copy the link generated in the browser and paste it in a .txt file for instance and use it on every computer, tablet, phone and for every SSID without the need to generate another guest pass!!!!!
This is a major security breach which affects us all, I don't know how to prevent it, any thought?
Photo of Marius Negrea

Marius Negrea

  • 3 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Michael Brado

Michael Brado, Official Rep

  • 1979 Posts
  • 275 Reply Likes
Hi Marius,
 
    I filed ER-2044 for possible guest access cookie vulnerabilities found in 9.8 code, and
Ruckus engineering has resolved and incorporated a fix into current 9.10 GA release, with
a flag used to prevent copying the URL/cookie info to another session.  Thanks for your
heads-up on the issue you found, and good news is we saw and fixed it too.
Photo of Marius Negrea

Marius Negrea

  • 3 Posts
  • 0 Reply Likes
Hi Michael, thanks for your reply BUT I am afraid this is not a viable option for us...we have a Ruckus network of 248 AP's of which 159 ZF7962 !!!! If I upgrade the firmware I will lose  connectivity to all these AP's which for us is really unacceptable, is there anything else we can do?

Photo of Monnat Systems

Monnat Systems, AlphaDog

  • 714 Posts
  • 151 Reply Likes
Request for an fix to be put in place in 9.8.2 branch through proper channel. I think your request is genuine and valid. Ruckus should not have an MAJOR issue doing so...
(Edited)
Photo of Michael Brado

Michael Brado, Official Rep

  • 1979 Posts
  • 275 Reply Likes
I've pinged Engineering and Product Marketing, as 9.8 is the last version for 7962/7762 model APs.  Awaiting feedback, and will share.