CommScope RUCKUS Community Forums

marko_teklic · ‎10-15-2017

when can we expect to see update for this https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-tra...

michael_brado · ‎10-17-2017

Thank you valued Customers and Partners for your patience as final action plans have been worked out.

(In response to questions such as “where is my patch” and “why is this taking so long”?)

Providing patches for affected products is our first concern and we understand its urgency to your business. We expect patches for most firmware releases to be available on October 30th, with all patches to be completed by November 15th. In the interim, the following steps will minimize risk:

- Disable 802.11rwherever enabled. This step eliminates the short-term need for patches to Ruckus infrastructure in all but the two scenarios described below.

- Enable rogue detectionmechanisms and ensure clients connecting to a rogue AP are de-authenticated.

- Patch client devices asthose patches become available. Unpatched clients will continue to be a risk tonetwork security, regardless of what other steps are taken.

With the above steps taken, two Ruckus use cases and products continue to pose a network security risk: meshed APs and point-to-point links. That risk is minimized through use of rogue AP detection and subsequent corrective action.

Full protection against KRACK will be assured once all infrastructure software has been updated (and 802.11r re-enabled) and all clients have been updated.

Note: Ruckus will provide software updates to anyone requesting them, regardless ofsupport contract status.

daniel_m · ‎10-17-2017

Really? Sometime between October 30th and November 15th? Ruckus had known about this for how long? Has Ruckus bothered to see how quickly their competitors got patches out? Impressive to see how succinctly the ball has been dropped here.

ruben_herold · ‎10-18-2017

Hi Michael,

have you seen my statement to this issue. I think your statement can be the seen as first step to bring it on track. Especially:

"Note: Ruckus will provide software updates to anyone requesting them, regardless of support contract status."

Plese take a look at my posting:

https://t.co/uVikcz9kRF

Can you give some statements to this?

Now tthe problem exists that ruckus was not ready for this problem. So let us not do
the fingerpointing let us find solutions. As described in my posting I see some expections:

1. really fast update availability, even for older systems and without contract*

2. transparent communication what went wrong and why

3. better documentation and reporting how to fix the problem in our company's,
   not even on the wireless system side:

    * How to detect clients with this problem
    * For which clients are updates available

You have us shown point 1 about the speed we can discuss but it is
necessary that the patches are stable and working. So If you have startet with
the development too late the dates you announced are fine from my point if view.

Now my points 2 and 3 is missing. Can you tell us something about it and can you make it public please?

To get the trust from your userbase it is necessary to show us what went wrong and why and what will be take in place to prevent this happening the next time.

luis_gustavo_co · ‎10-18-2017

Note: Ruckus will provide software updates to anyone requesting them, regardless ofsupport contract status.

How exactly would this happen, should I open a ticket for our contract-less ZD5000 controllers, and Ruckus will provide update images?

mark_anthony_sa · ‎10-17-2017

Disappointing response from Ruckus. If other major vendors were able release a patch after lifting the embargo, why can't Ruckus? Disabling 802.11r mitigates risk for now but I've deployed many Mesh APs on one of our clients because of structured cabling challenges.

CommScope RUCKUS Community Forums

Severe flaw in WPA2 - cracked