CommScope RUCKUS Community Forums

marius_negrea · ‎05-11-2015

Here is the thing, on an ZD3050 with firmware 9.8.2.0 build 15 I have a couples of guest SSID's (say SSID1, SSID2 en SSID3); when we issue a new guest pass for SSID1 a visitor can use it to get internet access - everything works fine so far BUT the moment the visitor type the guest pass into the browser and click on "log in" a new page is generated which says "Authenticated" and a button "Continue" appears which needs to be pushed in order to browse further...But before clicking the "Continue" button one can copy the link generated in the browser and paste it in a .txt file for instance and use it on every computer, tablet, phone and for every SSID without the need to generate another guest pass!!!!!
This is a major security breach which affects us all, I don't know how to prevent it, any thought?

michael_brado · ‎05-12-2015

Hi Marius,

I filed ER-2044 for possible guest access cookie vulnerabilities found in 9.8 code, and
Ruckus engineering has resolved and incorporated a fix into current 9.10 GA release, with
a flag used to prevent copying the URL/cookie info to another session. Thanks for your
heads-up on the issue you found, and good news is we saw and fixed it too.

marius_negrea · ‎05-14-2015

Hi Michael, thanks for your reply BUT I am afraid this is not a viable option for us...we have a Ruckus network of 248 AP's of which 159 ZF7962 !!!! If I upgrade the firmware I will lose connectivity to all these AP's which for us is really unacceptable, is there anything else we can do?

monnat_systems · ‎05-15-2015

Request for an fix to be put in place in 9.8.2 branch through proper channel. I think your request is genuine and valid. Ruckus should not have an MAJOR issue doing so...

michael_brado · ‎05-15-2015

I've pinged Engineering and Product Marketing, as 9.8 is the last version for 7962/7762 model APs. Awaiting feedback, and will share.

CommScope RUCKUS Community Forums

guest+pass