WPA2 KRACK Questions & Answers - Resource page

  • 3
  • Announcement
  • Updated 7 days ago
Greetings,

    Much concern about possible impact of announced WPA2 KRACK vulnerabilities, and Ruckus would
like to provide information and answer your related questions.  Please view the WPA2 KRACK support
resource center page:

https://support.ruckuswireless.com/krack-ruckus-wireless-support-resource-center

   There are knowledge base articles that describe Rogue Detection, and details on checking 802.11r
enable/ disable state, link to a TME blog on the problem, and industry links related to WPA2 KRACK flaws.
Information regarding specific platform firmware patch release availability will be provided shortly.
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes

Posted 2 months ago

  • 3
Photo of Steven Veron

Steven Veron

  • 20 Posts
  • 4 Reply Likes
Is there anything on the 7731 bridge? The only thing listed in the patches is the P300 bridge. 
For the 7731
End of Software Development & Maintenance: October 31, 2017
(Edited)
Photo of Monnat Systems

Monnat Systems, AlphaDog

  • 776 Posts
  • 163 Reply Likes
steven...
since ZF7731 does not use mesh and 802.11r...  hence this product is not vulnerable..
Photo of Steven Veron

Steven Veron

  • 20 Posts
  • 4 Reply Likes
I don't believe that is correct. The non-root bridge behaves just as a client would, and an attacker could force a channel change then intercept the new 4-way handshake. 

Also, if bridges aren't affected why is the P300 being patched...
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
Monnat is correct. P300 algorithm *is* based on Mesh, zf7731 is not, but.. they do behave like a client-AP and uses 4 way handshake.  We will need to patch the client side code in 7731 too. Still, lock down your channels and protect physical proximity. 
(Edited)
Photo of Steven Veron

Steven Veron

  • 20 Posts
  • 4 Reply Likes
That's good to know, I appreciate it. You mention locking the channel, I was unable to find a setting within the GUI and the guide doesn't mention it that I have found. Is this a CLI only command? If so can you point me to some documentation on it?
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
I just created a public visible KBA-6480 with this content:

If you have been instructed to "lock down" the 7731 point to point bridge frequency channel,
you can view the current channel in use, and configure the bridge to stay on this channel.

Figure 1:  Status::Wireless

Current channel in use is Channel 100, and the 7731 is currently set for SmartSelect channel algorithm.

User-added image


Figure 2:  Configuration :: Wireless :: Root Bridge

Use the Channel drop-down list to find the Channel 100 currently in use and click on it.
This will keep the Root Bridge AP setting on Channel 100.  (SmartSelect is default).

User-added image
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
While mgt determines how to provide a 9.2 version patch, you aren't at much risk since clients who can be compromised aren't likely connecting to your PtP bridges... 
Photo of Steven Veron

Steven Veron

  • 20 Posts
  • 4 Reply Likes
This bridge provides internet to a building that contains our HR department. Anything greater than 0 is considered a risk. 
Photo of Michael Brado

Michael Brado, Official Rep

  • 2170 Posts
  • 299 Reply Likes
If the bridge or mesh AP channel is static, the AP is not vulnerable to MITM attack, which is a necessary part of the replay attack.  Find your best PtP link channels, and lock them down for 0 risk.
Photo of Allan Grohe

Allan Grohe, Knowledge Manager

  • 4 Posts
  • 2 Reply Likes
We have updated the KRACK - Ruckus Wireless Support Resource Center page with the following additional technical information and documents:
  1. Current schedule for patch release dates for the following products:  P300, SmartZone, Ruckus Cloud, Unleashed, Xclaim, and ZoneDirector
  2. KRACK WPA/WPA2 Vulnerability Mitigation "Cheat Sheets" for the following products:  Unleashed, vSZ 3.5 (vSZ-E, vSZ-H, SZ-100), vSZ 3.4 (vSZ-H, SCG200, SZ300), and ZoneDirector
Allan.
(Edited)
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
Our Forum Community can help you out with most anything but bugs.
Photo of Arthur Hulsman

Arthur Hulsman

  • 18 Posts
  • 0 Reply Likes
Michael Brado, the Target Patch Release Date https://support.ruckuswireless.com/krack-ruckus-wireless-support-resource-center for ZD version 10.0.1 is 30 october 2017.
It is now 30 october end of business day in europe but i do not see any download links or updates that the patch has been postponed. 
When are the download links available for public ?
 
Photo of Allan Grohe

Allan Grohe, Knowledge Manager

  • 4 Posts
  • 2 Reply Likes
Downloads are being posted from PDT timezone, and announced as they hit the support portal, Arthur. 

Allan.
Photo of Arthur Hulsman

Arthur Hulsman

  • 18 Posts
  • 0 Reply Likes
Allan Grohe, thank you for the update, we have updated our acceptance and production environment. Is it possible to communicate the timezone  at the rucksu website when the patch is available for download when there is an critical update.
Photo of Michael Brado

Michael Brado, Official Rep

  • 2183 Posts
  • 301 Reply Likes
You may assume all activity on Ruckus Support is based on our HQ timezone, Pacific Daylight Time (PDT) until Sunday night, when Daylight Savings time falls back one hour. 

When you see my software announcements to the Forums groups, all documents and firmware will have been posted and are available for downloading.
Photo of Allan Grohe

Allan Grohe, Knowledge Manager

  • 4 Posts
  • 2 Reply Likes
New content for the KRACK Resource Center web page:  KRACK Explained - YouTube video

Allan.
Photo of Idgara

Idgara

  • 16 Posts
  • 1 Reply Like
What about stand alone AP's? Are the latest stand alone firmware updates patched?