This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Severe flaw in WPA2 - cracked

marko_teklic
New Contributor

‎10-15-2017 11:27 PM

when can we expect to see update for this https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-tra...
153 REPLIES 153

david_ogden_j0n
New Contributor II
In response to michael_brado

‎10-16-2017 01:50 PM

So what is it you can tell us? I'm confused by your statement.

jesse_johnston_
New Contributor III
In response to michael_brado

‎10-16-2017 01:53 PM

Edited for more face-palm. Are you guys serious right now?

david_buhl
New Contributor III

‎10-16-2017 01:39 PM

Michael, I think you are in the wrong thread.  The thread you just linked to is this very thread.
0 Kudos

michael_brado
Esteemed Contributor II

‎10-16-2017 01:54 PM

The issue is related to 802.11r (fast bss-transition) to enhance roaming, which if disabled on WLANs
eliminates vulnerability to attack of AP-to-client traffic.  The krackattacks.com site describe it as:
“it works by exploiting a four-way handshake that's used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption.”

WPA2/AES - attacker can decrypt and replay wi-fi packets.
WPA2/Auto-TKIP - attacker can decrypt, replay and inject frames

It requires that the attacker be physically in range of your APs, performing a man-in-the-middle impersonation
of a true AP mac address.

WLAN configuration options on WLANs, default setting is 802.11r Fast Roaming disabled. (SZ 3.5.1).

This is a Client vulnerability issue.  A man-in-the-middle with AP sending your SSID and using your AP
MAC address.  If one of your clients joins this malicious AP, there is a hole in the client that allows the
client to connect even if the passphrase is not correct(!). 

After this happens this, and only this single client, can be sniffed.

Our product is designed to alert Admins if such a rogue AP is present.  Only AP manufacturers who use their
APs as RAPs in Mesh (ie connecting to Guest WLAN) are vulnerable (as Aruba stated).

Things to think about:
1) all current certs and Wi-Fi passwords are still secure (attacker doesn't get the pw)
2) AES does not allow for code injection (tkip does, don't use it).
3) Android 6 has more issues that might make this attack easier.
4) Disabling 802.11r will mitigate the attack
5) Patching either side (client or distribution system) stops the attack from happening on WLAN
6) MITM attacks can happen if attacker inserts a new cert, end user is prompted with cert error.
7) Do not move to WEP

Still waiting for a corporate Security message I can post to Support and will share here.  Thanks.

james_julier
New Contributor II
In response to michael_brado

‎10-16-2017 02:31 PM

This is welcome but where are the patches to eliminate the AP side vuln, at big dog paris we were promised a much more responsive Ruckus when it comes to software updates. The fact that the likes of Mikrotik and Ubiquiti have fixes out already is not showing Ruckus in a good light. The other big players in our field have patches as well as an official response out already. The ball has been dropped. Is someone going to pick it up and save the match?
Copyright © 2024 Khoros, LLC