Vulnerability Notices

Expand all | Collapse all

Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

  • 1.  Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 05-13-2021 11:51

    A set of new vulnerabilities known as “FragAttacks” has been announced and these vulnerabilities affect WiFi communications and implementations. Broadly speaking, there are a total of 12 vulnerabilities, and three of them affect the WiFi design standard itself whereas the others affect specific implementations. Although CVSS scoring is not available yet as of this writing, it is likely the design flaws are the most serious and will require patches across nearly every WiFi implementation. The other vulnerabilities may also impact WiFi products, but these will be more limited in nature. The original source of information on FragAttacks can be found here: https://www.fragattacks.com/

     

    You can read Extreme Networks full Vulnerability Notice here: https://extremeportal.force.com/ExtrArticleDetail?an=000095779



  • 2.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 05-17-2021 17:07

    Sam,

     

    Do you know if the patched HiveOS will be available to any/all who request it?  If so, do you happen to have a ballpark timeframe on when HiveOS 10.3r3 will be available?  And do you reckon it might work on legacy HM platforms?  I’ve had success getting the 10.x HiveOS code versions working on the legacy 8.x on-prem HMs in the past.  

     

    Thanks,

     

    Brian



  • 3.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 05-18-2021 06:16

    When will Extreme update the information for products, which are under investigation?



  • 4.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 05-18-2021 13:55

    I see the IQEngine info has been updated for the Vulnerability Notice. Any word if the 10.0 line of firmware is affected? Being as several current devices do not support 10.2/3 FW family, this is information we need to know.



  • 5.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 05-19-2021 14:48

    Hey everyone, just wanted to let you know I am working on getting you all answers. I’ve heard back from the security team that they are working on another VN update that should address all of your questions, I’ll let you know as soon as I hear that is available. 



  • 6.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 05-20-2021 12:39

    Hey all, thank you for your patience here. The Vulnerability Notice has been updated, you can view the latest version here: Vulnerability Notice: VN-2021-460 – “FragAttacks” WiFi Vulnerabilities | Extreme Portal (force.com)

    Summary: 

    A set of new vulnerabilities known as “FragAttacks” has been announced and these vulnerabilities affect WiFi communications and implementations. Broadly speaking, there are a total of 12 vulnerabilities, and three of them affect the WiFi design standard itself whereas the others affect specific implementations. Although CVSS scoring is not available yet as of this writing, it is likely the design flaws are the most serious and will require patches across nearly every WiFi implementation. The other vulnerabilities may also impact WiFi products, but these will be more limited in nature. The original source of information on “FragAttacks” can be found here: https://www.fragattacks.com/

     

     

    If the update does not address your question, or if you have any additional questions, please let me know and I’ll continue to look in to this for you. 



  • 7.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 05-20-2021 12:49

    This raises a few more questions

    IQEngine/HiveOS - For Broadcom-based APs, fixed in:
    •    8.2r11 (AC Wave 1 and Wave 2 APs - AP30 (ATOM), AP122, AP122X, AP130, AP150W, AP230, AP245X/AP250, AP550, AP1130) [TBD]
    •    10.3r2 (AX APs – AP650, AP302W, AP305C/X, AP410C, AP460C, AP510C)
    •    10.3r3 (AC Wave 1 and Wave 2 APs - AP30 (ATOM), AP122, AP122X, AP130, AP150W, AP230, AP245X/AP250, AP550, AP1130) [Second week of June]

     

    Is this saying these vulnerabilities will be fixed in 8.2r11 (not yet released?)

    Still no word on the 10.0 line of firmware

    10.3r3 is listing AP models that up until now have not been supported by the 10.3 line of firmware. Is this changing with r3?

     



  • 8.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 05-20-2021 15:36

    Thanks for the additional questions, the response from our security team was: 

    Yes, the vulnerabilities are fixed in 8.2r11. The remaining guidance stands as well – 10.0 will be moving to 10.3r3 for Broadcom-based AP’s.



  • 9.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 05-21-2021 14:20

    I think it's not a good achievement that, after more than a week, Extreme still has no information about the vulnerability of some solutions/product families. Especially solutions that are used by long-term enterprise customers.

    We as Partner were asked by our customers nearly every day and can’t give them a answer.



  • 10.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 06-01-2021 08:09

    Customers are still waiting for information about Identifi



  • 11.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 06-01-2021 17:22

    Hi all, I’ve been told that IdentiFi = ExtremeWireless in the notice we’re discussing, and that our security team has not yet determined if these devices will be impacted but they are still looking in to it. 



  • 12.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 06-03-2021 14:38

    Hi Sam,

    sorry, but what are you discussing 3 weeks?:rage:

    Most other vendors have still released information if their products are impacted and when the plan to fix it. Also Extreme has done this for a few products. 

    A information - is it impacted or not would help. I'm not even talking about a possible fix-release date.

    Seriously, that's a very poor performance in how you deal with your (and also our) customers.



  • 13.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 06-03-2021 15:39

    Hi Peter, I completely understand your frustration here, I am not sure why it’s taking longer to work out if IdentiFi products are affected. As soon as I hear from the security team working on this project, I will update this post. I know that doesn’t help you or your customers right now, and I’m sincerely sorry I can’t be more helpful right now, but I’ll update you the very moment I know more. 



  • 14.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 06-16-2021 05:41

    10.3r3 was released yesterday, June 15th.



  • 15.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 06-16-2021 05:45

    Now eagerly waiting for 8.2r11 release date to be set!



  • 16.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 06-24-2021 09:51

    Wow, KB-Article is updated. It only takes 1 month and 10 days.

    But there are open questions.

    What about non 3805 - 38XX APs?

    Why is XCC declared as “not vulnerable” if fixed firmware for connected APs is available?



  • 17.  RE: Vulnerability Notice VN-2021-460- "FragAttacks" Wifi Vulnerabilities

    Posted 06-24-2021 15:53

    Hello,

     

    the ExtremeCloud (=https://ezcloudx.com/) is missing on the KB, too.

    I know the ExtremeCloud is EoS but still under contract.