This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Severe flaw in WPA2 - cracked

marko_teklic
New Contributor

‎10-15-2017 11:27 PM

when can we expect to see update for this https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-tra...
153 REPLIES 153

jesse_johnston_
New Contributor III
In response to michael_brado

‎10-16-2017 02:46 PM

Given the information above, it does not constitute waiting 6 of your PDT working hours (2PM PDT) to produce what was given. There isn't enough clarification given to soundly say simply disabling 802.11r on a Ruckus products will fix the issue either - this was not the full scope of the vulnerability. At this point in the day I am worried about the dismissive tone and action to the issue. I hope the formal security message doesn't ring this way as well.

Put simply, most other vendors have a fix or at the very least a statement as of hours ago on this. Regardless of how critical other vendors thought this would be they have addressed their end. I don't resonate with updating our endpoints instead, turning off the 802.11r feature on our devices, or anything other than fixing the vulnerability through firmware. You should have already deployed your new firmware/patches and put your obligation to rest. It's concerning this is not remotely the case.

scott_savarese
New Contributor
In response to michael_brado

‎10-16-2017 03:45 PM

Has anyone thought about the possibility that they might not have been notified until today? Has anyone seen evidence that RW was notified 2 months ago? This whole thread seems to expect that given 8 hours notice a company can analyze a vulnerability, patch code, do complete regression testing, and release patches. 
0 Kudos

david_buhl
New Contributor III
In response to michael_brado

‎10-16-2017 03:49 PM

They are a major player in the wireless market.  They've said all major players were notified a couple of months ago.  I can't see any possibility where someone forgot a company in the top 5, based on market share.

james_hudson_bj
New Contributor
In response to michael_brado

‎10-16-2017 03:59 PM

https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

They were given notice at the same time as every other company.

charles_sprick1
New Contributor III
In response to michael_brado

‎10-17-2017 12:40 AM

And even if they work, there should be at LEAST one security nerd there who would have seen the initial announcement and started salivating at figuring out what the root of the vulnerability was.  As has been noted, some vendors even broke "embargo" and fixed this more than a month ago (OpenBSD was scolded, Mikrotik apparently was not).  If Ruckus doesn't have one of "those guys", god help us.

Here's what the message to management should be, and it should STING:
  • Ubiquiti had a fix before you
  • Ubiquiti sent an email blast to customers before you informing them of the vulnerability and the fix
  • Mikrotik had a fix before you - yes, the Latvians beat you too
  • Both companies called out above are seen as barely beyond consumer grade stuff in some circles (and in some Ruckus sales pitches)
  • All the enterprise vendors had a fix out before you (but Ubiquiti is the one that should embarrass you)
  • Many of your customers read about this elsewhere and are aware that you had the information about this problem in-hand back in August
Copyright © 2024 Khoros, LLC