cancel
Showing results for 
Search instead for 
Did you mean: 

Severe flaw in WPA2 - cracked

marko_teklic
New Contributor
153 REPLIES 153

Given the information above, it does not constitute waiting 6 of your PDT working hours (2PM PDT) to produce what was given. There isn't enough clarification given to soundly say simply disabling 802.11r on a Ruckus products will fix the issue either - this was not the full scope of the vulnerability. At this point in the day I am worried about the dismissive tone and action to the issue. I hope the formal security message doesn't ring this way as well.

Put simply, most other vendors have a fix or at the very least a statement as of hours ago on this. Regardless of how critical other vendors thought this would be they have addressed their end. I don't resonate with updating our endpoints instead, turning off the 802.11r feature on our devices, or anything other than fixing the vulnerability through firmware. You should have already deployed your new firmware/patches and put your obligation to rest. It's concerning this is not remotely the case.

Has anyone thought about the possibility that they might not have been notified until today? Has anyone seen evidence that RW was notified 2 months ago? This whole thread seems to expect that given 8 hours notice a company can analyze a vulnerability, patch code, do complete regression testing, and release patches. 

They are a major player in the wireless market.  They've said all major players were notified a couple of months ago.  I can't see any possibility where someone forgot a company in the top 5, based on market share.

https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

They were given notice at the same time as every other company.

And even if they work, there should be at LEAST one security nerd there who would have seen the initial announcement and started salivating at figuring out what the root of the vulnerability was.  As has been noted, some vendors even broke "embargo" and fixed this more than a month ago (OpenBSD was scolded, Mikrotik apparently was not).  If Ruckus doesn't have one of "those guys", god help us.

Here's what the message to management should be, and it should STING:
  • Ubiquiti had a fix before you
  • Ubiquiti sent an email blast to customers before you informing them of the vulnerability and the fix
  • Mikrotik had a fix before you - yes, the Latvians beat you too
  • Both companies called out above are seen as barely beyond consumer grade stuff in some circles (and in some Ruckus sales pitches)
  • All the enterprise vendors had a fix out before you (but Ubiquiti is the one that should embarrass you)
  • Many of your customers read about this elsewhere and are aware that you had the information about this problem in-hand back in August