topic Re: Severe flaw in WPA2 - cracked in Cloudpath Enrollment System (ES)

Severe flaw in WPA2 - cracked

marko_teklic — Mon, 16 Oct 2017 06:27:01 GMT

when can we expect to see update for this https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

Re: Severe flaw in WPA2 - cracked

jakob_peterh_ns — Mon, 16 Oct 2017 07:27:06 GMT

"One researcher told Ars that Aruba and Ubiquiti, ..., already have updates available to patch or mitigate the vulnerabilities."

Well, let's see how fast our support-contract money work..

Re: Severe flaw in WPA2 - cracked

ruben_herold — Mon, 16 Oct 2017 09:00:39 GMT

Some vendors like mikrotik have already rolled out patched versions since weeks:

https://forum.mikrotik.com/viewtopic.php?f=21&t=126695

Re: Severe flaw in WPA2 - cracked

james_julier — Mon, 16 Oct 2017 10:02:51 GMT

I too would like an answer to this. And for our patch to be made available quickly. We already have clients asking.

Re: Severe flaw in WPA2 - cracked

rw_van_der_knoo — Mon, 16 Oct 2017 10:08:33 GMT

Me too for my R600 Unleashed ...

Re: Severe flaw in WPA2 - cracked

ari_lemmke — Mon, 16 Oct 2017 10:13:14 GMT

Yes, this breach is annoying.

But .. have been evangelizing for years that wifi should only be used as transport for VPN (OpenVPN).

Have been trying to find more information like press releases or other material on topics like Ruckus and WPA2 krack. (https://www.krackattacks.com/)

Notice that this all has been released earlier to manufacturers and only now will go public, meaning that only some manufacturers have reacted to research papers: https://eprint.iacr.org/2016/475.pdf
Dated May-17 2016 .. it was all there.

Re: Severe flaw in WPA2 - cracked

tech_support_4y — Mon, 16 Oct 2017 10:13:59 GMT

Ruckus, you're late to the party as usual. When will we see firmware updates to address KRACK?

Re: Severe flaw in WPA2 - cracked

thomas_barnsley — Mon, 16 Oct 2017 10:55:37 GMT

I would dearly love to see this ASAP as we need to start change management procedures.

Re: Severe flaw in WPA2 - cracked

andrew_bailey_7 — Mon, 16 Oct 2017 11:05:44 GMT

I've raised a P2 Case (ID: 00565627).

According to the security section of the Ruckus site (https://www.ruckuswireless.com/security) the CVE's covered by Krack have not been addressed.

Kind Regards,

Andy.

Re: Severe flaw in WPA2 - cracked

dustin_roberts_ — Mon, 16 Oct 2017 12:30:40 GMT

This is big, ruckus had better act quickly on this. I also expect them to release patches for some of the older chains of firmware. We have perfectly usable 802.11n access points (7363) in use that are locked to the 9.12.x chain. It would pretty much mean the end of our relationship with ruckus if we were forced to upgrade these for a security patch.

Re: Severe flaw in WPA2 - cracked

robert_lowe_722 — Mon, 16 Oct 2017 12:36:33 GMT

Aruba has released fixes for older versions of firmware but only ones the deem 'under support'. Ruckus doesn't view firmware in the same way but based on the fact that the recommended 9.13.3.0.121 i would expect them to be going back a little way on the firmware list at least to 9.12

Re: Severe flaw in WPA2 - cracked

tech_support_4y — Mon, 16 Oct 2017 12:40:17 GMT

Yep, end of support for the ZoneDirector 1100 for example is June 30th 2020, and it is stuck on ZD1100 9.10.2.0.29 (MR2 Refresh) Software Release
I would expect an update for this from Ruckus very soon.

Re: Severe flaw in WPA2 - cracked

mloiterman — Mon, 16 Oct 2017 12:44:02 GMT

My understand is that this issue was something vendors were previously notified about. So, the fact that there doesn't even appear to be a proposed timeline for a fix is not acceptable - especially since some vendors are already releasing patches.

Very frustrating.

Re: Severe flaw in WPA2 - cracked

robert_lowe_722 — Mon, 16 Oct 2017 12:48:38 GMT

Aruba reports that they were informed by the author of the research paper in July & by CERT in August. Imagine same for all vendors. Plus many (if not all) have been participating in industry level discussions

Re: Severe flaw in WPA2 - cracked

simon_b_hrer_73 — Mon, 16 Oct 2017 12:50:19 GMT

Pretty annoying issue and surely not the best time to get it public, but I don't get why this issue is still persistent since it was reported to the vendors in August/Septembre. Actually there's one customer after another calling and asking what they can do and when they can expect a solution. Not cool, to have no answer ready...

Re: Severe flaw in WPA2 - cracked

robert_lowe_722 — Mon, 16 Oct 2017 12:54:32 GMT

Dont forget though that the infrastructure is only part of this issue. Even after controllers & AP's have had a 'fix' applied there are still vulnerabilities from the client side, which is actually the source of the issue, can only be addressed by the client manufacturers. As i understand it, It affects infrastructure vendors because sometimes their AP's act as a client like when using mesh for example.

Here's a link to their FAQ on the issue: http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-007_FAQ_Rev-1.pdf

Re: Severe flaw in WPA2 - cracked

tech_support_4y — Mon, 16 Oct 2017 14:25:13 GMT

And here's Meraki's which is excellent IMO:
https://documentation.meraki.com/zGeneral_Administration/Support/802.11r_Vulnerability_(CVE%3A_2017-...

Deathly silence from Ruckus...

Re: Severe flaw in WPA2 - cracked

dustin_roberts_ — Mon, 16 Oct 2017 14:30:08 GMT

Agree, they knew about this august 28. Why is a patch not already available.

Re: Severe flaw in WPA2 - cracked

jesse_johnston_ — Mon, 16 Oct 2017 14:42:10 GMT

From my chat session they plan to take their time... They have a response slated for the second half of today.

Re: Severe flaw in WPA2 - cracked

robert_lowe_722 — Mon, 16 Oct 2017 14:49:00 GMT

I guess that depends on where you are......In the UK its already the 2nd half of today 🙂