Severe flaw in WPA2 - cracked

  • 34
  • Question
  • Updated 2 years ago
  • Answered
Photo of Marko Teklic

Marko Teklic

  • 1 Post
  • 0 Reply Likes

Posted 2 years ago

  • 34
Photo of Jakob Peterhänsel

Jakob Peterhänsel

  • 90 Posts
  • 29 Reply Likes
"One researcher told Ars that Aruba and Ubiquiti, ..., already have updates available to patch or mitigate the vulnerabilities."

Well, let's see how fast our support-contract money work..
(Edited)
Photo of Dustin Roberts

Dustin Roberts

  • 2 Posts
  • 8 Reply Likes
Agree, they knew about this august 28. Why is a patch not already available. 
Photo of Pete

Pete

  • 3 Posts
  • 5 Reply Likes
Open-Mesh announced a firmware upgrade by the end of today (10/17/2017) and there is no support contract involved. A free lifetime cloud controller license comes with each hardware purchase.

Our Meraki devices received their firmware upgrade within hours of reading about the security vulnerability. 
Photo of Andrew Bailey

Andrew Bailey

  • 16 Posts
  • 8 Reply Likes
I've raised a P2 Case (ID: 00565627).

According to the security section of the Ruckus site (https://www.ruckuswireless.com/security) the CVE's covered by Krack have not been addressed.

Kind Regards,


Andy.
Photo of Dustin Roberts

Dustin Roberts

  • 2 Posts
  • 8 Reply Likes
This is big, ruckus had better act quickly on this. I also expect them to release patches for some of the older chains of firmware. We have perfectly usable 802.11n access points (7363) in use that are locked to the 9.12.x chain. It would pretty much mean the end of our relationship with ruckus if we were forced to upgrade these for a security patch. 
Photo of tech support

tech support

  • 7 Posts
  • 14 Reply Likes
Yep, end of support for the ZoneDirector 1100 for example is June 30th 2020, and it is stuck on ZD1100 9.10.2.0.29 (MR2 Refresh) Software Release
I would expect an update for this from Ruckus very soon.
Photo of Mike Loiterman

Mike Loiterman

  • 4 Posts
  • 9 Reply Likes
My understand is that this issue was something vendors were previously notified about.  So, the fact that there doesn't even appear to be a proposed timeline for a fix is not acceptable - especially since some vendors are already releasing patches.

Very frustrating.
Photo of David Buhl

David Buhl

  • 17 Posts
  • 11 Reply Likes
Chatted with a rep who said there will be a "response" by the end of the day.

I, too, don't understand how you can have 2.5 months to come up with something and "wait til the end of the day" is what they came up with.  

You KNOW there is a MAJOR issue.  You KNOW your customers and competitors will be looking at your response.  You know exactly WHEN the announcement will be made.  And yet, you have NOTHING available.  

"At Ruckus Support, we value Security above all else.  The WPA2 vulnerabilities were just released to the public, but Ruckus engineers have had this information for much longer and have been working tirelessly to address, correct, and test patches for all of our systems.  We will have these available very soon.  Thank you for your patience, we want to make sure we get this one right."

There, took me 2 minutes.
Photo of Brad Nance

Brad Nance

  • 3 Posts
  • 1 Reply Like
I'll bet they copy and paste that for email replies...... 
Photo of SupMang

SupMang

  • 3 Posts
  • 3 Reply Likes
You're hired!
Photo of JC

JC

  • 3 Posts
  • 0 Reply Likes
Dear
Please help with a firmware update for the ZF7363 and ZF7321 models for this new vulnerability found in WPA-2. Is there any way to contact them or all those who are registered will we get an email automatically when they have the update to know that is already available?
Photo of Brad Nance

Brad Nance

  • 3 Posts
  • 1 Reply Like
You will probably want to open a case or check back here to see if they get one out today.

Brad 
(Edited)
Photo of JC

JC

  • 3 Posts
  • 0 Reply Likes
ok, thanks
Photo of Michael Brado

Michael Brado, Official Rep

  • 3010 Posts
  • 425 Reply Likes
Photo of David Buhl

David Buhl

  • 17 Posts
  • 11 Reply Likes
Michael, maybe you can clear up some confusion for me on this.  In the bulletin above, Ruckus is saying: "No Ruckus products are affected unless deployed in Mesh or Point-to-Point topologies, or 802.11r is enabled."  

However, a blog post, also from Ruckus, says the following:
  1. Vulnerabilities exist on both sides of the 4-way handshake relationship (client and AP) and both sides need to be patched.
  2. Until client vendors provide updates, disabling 802.11r can help mitigate the attack by eliminating one source of vulnerability (Fast BSS Transitions, otherwise known as 802.11r roaming).
Does turning off 802.11r mitigate the issue, or does it eliminate the issue?  Semantics, but extremely important semantics. 

If vulnerabilities exist on both sides of the 4-way handshake, and vendors need to patch them to make them secure (and Ruckus uses WPA)... ???  The blog post and the official statement appear to be contradicting each other.  I'd prefer NOT to go back and tell my bosses that I was wrong with what I told them last night.

Thanks,
Photo of tech support

tech support

  • 7 Posts
  • 14 Reply Likes
Ruckus, where are the firmware updates?! This is a pathetic response.
Almost every other manufacturer has firmware fixes available and you don’t. Even Netgear does for their consumer routers!
It is beyond belief that you clearly did not take this seriously, and STILL don’t it would seem.
Time to dump Ruckus. This is not an enterprise product, and certainly not enterprise level support.
Photo of Ruben Herold

Ruben Herold

  • 7 Posts
  • 15 Reply Likes
hi,

I have read the Ruckus Security Advisory and also
https://theruckusroom.ruckuswireless.com/wi-fi/2017/10/16/commonsense-approach-uncommon-problem/ and many other stuff.

This all show ruckus in a very bad light. Can we still trust?

Ruckus was informed many weeks/months ago about this issue and the disclosure date.

But the customers was left alone!!

I was informed since two day's (CET timezone) about this issue. I waited for
the public disclosure yesterday and opened a case at ruckus cause no information
about it was found online.

All other major vendors did have the updates ready and informed their customers
at the same time the issue was going public. They had their communication ready
and send it out to their partners and customers at the right time.

Ruckus didn't they don't even inform the partners!!

What I as customer with contract and as partner has expected:

1. No out of office notification if someone mails to your security contact ([email protected])
   This E-mail has to go to an high priorized and monitored queue in an ticket
   system,

2. That your support people and partners would inform one or two day's before
   the public disclosure.

3. That you have the right communication for all your customers ready and put
   it in the right time on the right places (webside, newsletter, twitter...)

4. That you have your firmware fixes ready to deploy and if it is possible
   some advanced monitoring ready for this issue and for broken clients.

What I now expect:

1. really fast update availability, even for older systems and without contract*

2. transparent communication what went wrong and why

3. better documentation and reporting how to fix the problem in our company's,
   not even on the wireless system side:

    * How to detect clients with this problem
    * For which clients are updates available


I'm located in germany, the public  disclosure was now nearly 24hour away,
even the radio stations here  broadcast informations about this issue faster
then you.

At this morning the German Federal Office for Information Security has send out
an public announcement that all people should update their clients and
accesspoints / routers if possible or contact their vendors for updates.

The phones are ringing with customers, cto's and so on. All want to have a
status about this issue and a dead line then it is fixed.

Yes the major problem are the client's, but the accespoints and controllers
should be fixed also and I expect that I get some help from my wireless system
to detect the problem on the clients if I have a managed wireless solution
not one single accesspoint.

Our company has already rolled out the patcheѕ for our clients.
Even microsoft has the patches already in place.

For me it looks like ruckus has ignored the advisory and now the
try to react on it. This has nothing todo with enterprise support!!

There is absolute no excuse for this!!

For me the trust in your security support is gone, and there must
be very good arguments that we will stay with ruckus after our contract
ended.


* cause how it was happend (see what I expected)
Photo of alexf

alexf

  • 34 Posts
  • 9 Reply Likes
btw there is github repo maintaining a list of vendor responses: https://github.com/kristate/krackinfo . Go to Vendor Response Matrix and see client updates.

Regards, 
Alex
Photo of Ruben Herold

Ruben Herold

  • 7 Posts
  • 15 Reply Likes
I think there should be a way, have you taken a look what other vendors do:

Q:  Can I detect if someone is attacking my network or devices?

A:  Aruba software checks for replay counter mismatches on a per
client basis and will produce a log message if detection is triggered. The log message begins with “Replay Counter Mismatches“, followed by additional details.

Aruba has also released new RFProtect (WIDS) features and signatures to help detect attacks.

for example.

Also it should be no problem to build a list with patches for the major systems
and publish them.

If I read this right:

"Here, the client will install an all-zero encryption key instead of reinstalling the real key."

They work with an all-zero key can this not be detected from the wirless system?
Photo of JesseJ

JesseJ

  • 16 Posts
  • 21 Reply Likes
"Be professional ... If you have customers that rely on WPA only, then they deserve to be under attack."

Wow Jakob, do you work at Ruckus?

I appreciate they finally took the time to tell us not to worry about anything unless you use features that are turned off by default, or mesh networking </sarcasm>. Thanks for assuming most costumers don't care as they would rarely deploy a mesh network, right?

https://www.ruckuswireless.com/rucktionary/mesh-networking-and-smartmesh
http://www.ruckussecurity.com/Smart-Mesh-Networking.asp
http://ruckus-www.s3.amazonaws.com/pdf/appnotes/bpg-wireless-mesh.pdf

You can't flaunt it and be proud of this as a value add, and then chastise customers for using it when there's a security issue you have no urgency to address.
Photo of Charles Sprickman

Charles Sprickman

  • 24 Posts
  • 10 Reply Likes
That blog post ("the ruckus room") is embarrassing.  They don't even mention if they have a fix in the pipeline.  Telling their customers who use "mesh" to "turn it off" is stupid.  It's a feature, don't be surprised if people use it.
Photo of Charles Sprickman

Charles Sprickman

  • 24 Posts
  • 10 Reply Likes
That blog post ("the ruckus room") is embarrassing.  They don't even mention if they have a fix in the pipeline.  Telling their customers who use "mesh" to "turn it off" is stupid.  It's a feature, don't be surprised if people use it.
Photo of Pete

Pete

  • 3 Posts
  • 5 Reply Likes
Open-Mesh announced they will have a firmware upgrade this afternoon (10/17/2017). Open-Mesh, the product which gives a you free lifetime license for their cloud controller, you just need to purchase the hardware. Not sure why it's taking Ruckus so long.
Photo of Phil Lochner

Phil Lochner

  • 12 Posts
  • 4 Reply Likes
Ruckus, you better get your crap together and resolve this. You're already being snickered at in a few of the sysadmin mailing lists I'm part of.

In a couple more days those snickers are going to turn into turn into something much more damaging. Because you're such a big player in the wifi market, you're already getting mocked for not having a fix ready when it was announced, but at least right now you're lumped in with tons of other companies.

As the days go on those other companies are going to deliver their patches and you're going to be left out in the rain, tossing excuses and copy pasta to frustrated sysadmins with leftover end of year budgets they'll rightfully decide to spend somewhere else.

We love our Ruckus products but your lack of progress in this matter means to be secure, we may have to turn off our products, and we can't have that in our organization, so we're simply forced to switch vendors.
Photo of Affant Communication

Affant Communication

  • 1 Post
  • 4 Reply Likes
Is it safe to assume that Ruckus doesn't give a damn about their paying customers right? Since the patches are no were to be seen... I would like to ask the community for Ubiquity recommendations since we'll most likely be moving over. 
Photo of Todd

Todd

  • 65 Posts
  • 17 Reply Likes
I'm sure this will not be a popular comment but, I think some of these comments are blown way out of proportion.  I also am not happy about Ruckus's delay of response and available firmware updates given the lead time they've been given.  But they don't have it.  I wouldn't apply the new code immediately anyway until some of you bled on it.  I'm willing to bet that most of us have bigger security issues to deal with than a proof of concept hack on a single device, which requires them to be physically on-site, setup a rogue AP and write there own code for the exploit, as the code to exploit the vulnerablity isn't in the wild, then they might gain access to someones facebook feed.  LOL

In addition can I borrow some of your budget dollars so I can jump vendors whenever I'm unhappy with their performance.  Thats a luxury that I cannot afford, time or money wise.   :)
Photo of Jakob Peterhänsel

Jakob Peterhänsel

  • 90 Posts
  • 29 Reply Likes
Jesse,
All I'm saying is: If security is that important for your customers, that they are calling you even before the scope of this vulnerability is out in the open (it's still a lab case), then they should already be using Apps that use SSL communication directly between the client app and the backend.
Oh, and if you've read the krack site, it's mostly a clientside issue
Photo of Steven Veron

Steven Veron

  • 20 Posts
  • 4 Reply Likes
I work at a university. Should I tell all our students to use VPN? While for sensitive information requiring VPN use should be done, it's not practical in all situations. 

I think another aspect of this is the PR side. When the CIO says they have people asking "does this affect us" it shouldn't require a long explanation of "yes, but only if you're not using VPN, not using secure apps, etc etc. 
Photo of JesseJ

JesseJ

  • 16 Posts
  • 21 Reply Likes
Jakob,

You can play Ruckus' cards all you want. "It's still a lab case..." Really? If I could prove there was another WPA2 vulnerability to where you could steal the PSK, but it wasn't in the wild yet, would you expect Ruckus to have a patch before somebody packaged up in a nice little tool for script kiddies? Would you care if you could just update Windows to mitigate the new threat? Apparently you wouldn't, and that makes you incompetent and naive in network security. I won't address your other noise again about apps using SSL.

Nobody is arguing that we shouldn't have to patch our clients, but even they have stated to patch BOTH. Well we can't do that yet. According to the latest word that will be two weeks away at the earliest for 'some' devices. Now we are waiting on a managers response about how everything is just fine, so long as 'xyz' is in place, or not in use. That's not acceptable. If you wanted to reassure everyone of the risks to certain features and the network safety otherwise, that should have been in the day one security brief assuring us of this with an ETA date on the firmware releases and which models.

An example of how to respond correctly (even spelling out which things aren't effected if that's your stance):
https://help.ubnt.com/hc/en-us/articles/115013737328-Ubiquiti-Devices-KRACK-Vulnerability
Photo of Jakob Peterhänsel

Jakob Peterhänsel

  • 90 Posts
  • 29 Reply Likes
Playing Ruckus' card - Really? Gezus..
All I'm saying is: keep the perspective! This thread is going nuts over how all wifi is suddenly useless, when facts is, it's not!This thread is going nuts over how all security is suddenly compromised and peoples highly secret communications is at risk, and I'm simply pointing out: It the communications it that secret, you should have other security measures in place!
I'm not fond if how Ruckus is handling this either, but stop making the world come to and end over this, when in fact it's not.
Photo of JesseJ

JesseJ

  • 16 Posts
  • 21 Reply Likes
I wouldn't say 'the world', I'd say Ruckus' reputation.
Photo of M

M

  • 36 Posts
  • 5 Reply Likes
Disappointing response from Ruckus. If other major vendors were able release a patch after lifting the embargo, why can't Ruckus? Disabling 802.11r mitigates risk for now but I've deployed many Mesh APs on one of our clients because of structured cabling challenges.