topic Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center in Wireless Questions and Best Practices

FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

grodog-prod — Tue, 11 May 2021 18:06:19 GMT

At 11:00am PDT today, the Wi-Fi Alliance announced a new Wi-Fi security vulnerability, FragAttacks.

The FragAttacks - RUCKUS Technical Support Response Center is our central web page that brings together all of the RUCKUS-related information you need to address FragAttacks, including:

In addition, the RUCKUS senior technology leadership has prepared resources to explain the nature and impact of the FragAttacks vulnerabilities, including technical blogs, videos, and podcasts. These are all linked on the FragAttacks - RUCKUS Technical Support Response Center web page.

Please use this thread as a central location for your FragAttacks questions and concerns. Doing so will help to ensure that we can respond as quickly as possible to your issues as you raise them.

Thank you!

Allan Grohe

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

syamantakomer — Wed, 12 May 2021 13:01:40 GMT

We are looking into this and will update soon.

Thanks for the patience and cooperation.

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

vesalius — Wed, 12 May 2021 14:48:46 GMT

@syamantak_omer

Same issue and question for the lastest unleashed patch as well as the release notes are also behind a paywall.

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

syamantakomer — Wed, 12 May 2021 15:04:16 GMT

Hi Harold,

For Unleashed, you can upgrade directly from OTA server, once firmware is available.

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

syamantakomer — Wed, 12 May 2021 18:30:36 GMT

Hi All,

As of today (12th May 2021), fix is available for below products/versions.

For other products/versions, please follow FragAttacks technical support page.

Platform	Release	Target Patch Release Date	Download link and exact fix version
RUCKUS SmartZone and Virtual SmartZone	5.2.2	11-May-21	AP Patch 5.2.2.0.1016 must be applied to 5.2.2 GA controller version 5.2.2.0.317
RUCKUS ZoneDirector	10.4.1	10-May-21	ZoneFlex 10.4.1.0.257 (GA Refresh4) Software Release for ZD1200

RUCKUS Unleashed	200.9	10-May-21	Click here >> Go to Download >> Find your desired AP model and respective download link for 200.9.10.4.243 version

Note: Release notes may not have the information of FragAttacks fix, we will update release notes soon.

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

syamantakomer — Wed, 12 May 2021 18:34:26 GMT

In addition to my previous comment, we are also updating our FragAttacks Technical Support Page and direct download links are also available there.

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

grodog-prod — Wed, 12 May 2021 18:35:49 GMT

I have updated all of the FragAttacks-related software images and release notes to be available to "All Users" instead of "Premium Support Users" only.

I apologize for that oversight: it was our intention when all of the files went live yesterday that they be available to all users, but the IT database publishing update also overwrote the All Users permission with the Premium permission.

Allan.

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

hendri_marzuki — Mon, 17 May 2021 02:56:22 GMT

Any plan to patch or advise for ZD 1100 & ZD 3000?

Thanks.

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

syamantakomer — Mon, 17 May 2021 13:21:05 GMT

Hi Hendri,

Please refer the support page and check if you can upgrade to closest supported firmware version.

For ZD1100, we are checking with concerned team.

As of now, you can upgrade to below versions (once available) to fix the issue.

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

syamantakomer — Mon, 17 May 2021 15:44:28 GMT

Hi All,

Fix for ZD 10.2.1 has been released on our support site.

RUCKUS ZoneDirector 10.2.1.0.200 (MR1 Refresh7):

Our FragAttacks support page also updated with this information.

https://support.ruckuswireless.com/fragattacks-ruckus-technical-support-response-center

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

syamantakomer — Mon, 17 May 2021 16:46:07 GMT

Hi All,

Fix for ZD 10.0.1 has been released on our support site.

ZoneDirector 10.0.1.0.146 MR1 software images to the Support Portal are as follows:

Our FragAttacks support page also updated with this information.

https://support.ruckuswireless.com/fragattacks-ruckus-technical-support-response-center

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

eizens_putnins — Mon, 17 May 2021 19:47:17 GMT

Hi,

I want to emphasize, that normally new firmware can't be installed if ZD isn't under active support. In Release Note is stated that for some time this check is suspended, to allow patching all systems, with or without support.

It is really very responsible step from Ruckus and must be clearly stated in BIG LETTERS on the same page with list of download links to encourage immediate action!

What about version 9.8-9.9 -- as Ruckus APs have a very long useful life, there are still many 802.11n networks in operation and even 802.11g - it is extreme, but there is a network with ZF2942 APs (in 4star hotel, installed by us in 2007, and still "good enough not to be replaced yet" for hotel management!). Of cause, these networks have no support, as they can't upgrade to the latest versions anyway (APs and even controllers are not supported).

Are there any plans to get patches to version 9.9 or similar, which allows managing older APs? At least for version supporting ZF7372/52, ZF7982, etc.

I know that it is better to replace them, but it is not going to happen for quit a while. As far as 802.11n service is still acceptable, they will stay around, secure or not.

There is, of cause, question about patch efficiency -- as you can never guarantee that all devices connected to network are patched, is patching a network really efficient? I understand, that without patching APs, you can't fix the vulnerability at all, but if there is a big part of unpatched clients, will this provide any real improvement?

For really critical networks -- is there a way to block vulnerable clients on WiFi level, or the only chance for that is NAC?

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

syamantakomer — Mon, 17 May 2021 20:23:37 GMT

Hi @eizens_putnins ,

Most of the queries above are already answered in our FragAttack support page.

Please refer the page from here.

I am trying to answer a few queries here.

Yes you can upgrade the ZD even if you don't have support entitlement. Try to sync license online from ZD, or reachout to support and request for temporary entitlement.
Without patching APs and clients, fix is useless, so yes, both side devices needs to be patched.
However, there are some vulnerabilities which can be patched just by APs but not all, hence patching both sides is strongly recommended.
It could be hard to patch already EOS/EOL devices. I am still checking this internally.

You can refer detailed information on FragAttach support page.

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

jim_palmer — Mon, 17 May 2021 21:13:46 GMT

Just to clarify, because the FragAttacks report is really that complex and complicated. The report contains 12 distinct vulnerabilities and some are targeted at APs, some are at clients, and some are at both. To prevent all 12 CVE's contained in the report, both APs and client devices need to be patched. Patching just the APs will prevent some of the vulnerabilities, but not all of them. It will, however, reduce the attack vectors available, especially with older client devices that might not get patched thanks to a lot of different factors.

For those critical networks, refer to this page from the support site for additional help https://www.commscope.com/fragattacks-commscope-ruckus-resource-center/wifi-fragattacks-what-you-need-to-know/

For those who want to get even more into the attacks, you can also check out this post-https://jimswirelessworld.wordpress.com/2021/05/11/fragattacks-just-reinforces-the-it-depends-complexity-of-wi-fi/

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

hendri_marzuki — Mon, 17 May 2021 21:53:54 GMT

Thank you! Much appreciated!

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

syamantakomer — Tue, 18 May 2021 15:20:56 GMT

Hi All,

Fix for Unleashed 200.7 has been released on our support site.

For different AP models, Unleashed 200.7.10.202.127 MR6 software images can be found on below link.

https://support.ruckuswireless.com/software?query=200.7.10.202.127

Our FragAttacks support page also updated with this information.

https://support.ruckuswireless.com/fragattacks-ruckus-technical-support-response-center

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

alexandre_jablo — Tue, 18 May 2021 15:53:17 GMT

I see firmware branch 10.3.x isn't mentioned. We have a ZD 1200 with R700 APs on this branch.

Any mention releasing fix for the 10.3.x ZD branch?

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

hendri_marzuki — Tue, 18 May 2021 21:53:03 GMT

Just FYI, as informed by syamantak_omer, I could upgrade the ZD even if I don't have support entitlement. Just download the img file, then upgrade. Mine automatically given 30 days Support after the upgrade.

Or contact Support where they'll give grace period support file to upload to ZD.

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

syamantakomer — Tue, 18 May 2021 21:56:08 GMT

Hi @hendri_marzuki ,

Thanks for the feedback and good to know that you were able to upgrade your ZD.

Re: FragAttacks Security Vulnerability - RUCKUS Technical Support Response Center

syamantakomer — Tue, 18 May 2021 21:58:16 GMT

Hi Alaxander,

Could you confirm how many APs you have on this ZD1200?