Solved

Fragattacks


Userlevel 2
Badge +1

Hey Guys,

are extreme ap’s infected of this open door? If so, is there a workaround or a hotfix coming?

 

Regards,

 

icon

Best answer by Sam Pirok 13 May 2021, 13:52

Hi guys, thanks for the mention, I just posted our vulnerability notice regarding the FragAttacks here: 

 

Please let me know if you have additional questions and I’ll do my best to get you answers quickly. 

View original

13 replies

Userlevel 7
Badge +1

Hello,

in addition to dpanev's question, here is the background:

https://www.fragattacks.com/

Hi!

I second that. I’m using a bunch of c5215 controller and ap3935 access points and would really like to know if I’m affected, possible workarounds and if we can expect a security update for those.

 

Best regards

Userlevel 2

@Sam Pirok Would be great if Extreme could publish a communique how they will deal with the vulnerabilities published by https://twitter.com/vanhoefm https://www.fragattacks.com/ would be nice to have an official statement once customers start asking questions.

Userlevel 6

Hi guys, thanks for the mention, I just posted our vulnerability notice regarding the FragAttacks here: 

 

Please let me know if you have additional questions and I’ll do my best to get you answers quickly. 

Userlevel 7
Badge +1

Hello​​​​​​ @Sam Pirok,

in my opinion in the KB article referenced by you, Identifi products are missing in the table.

Userlevel 6

Thanks for letting me know @StephanH, I spoke with the IdentiFi team and they told me this is a typo. They are updating the notice now. 

Userlevel 2
Badge +1

The Articles only mentions ax and ac AP’s. What about 802.11n Release dates?

Userlevel 7
Badge +1

Hello dpanev,

the Identifi pre ac APs are EoL since end of 2020. Therefore there will be no update.

Userlevel 2
Badge +1

Okay thanks Stephan

Is there a release date for IQ Engine 10.3r3 for Wave 1 and Wave 2 AC (AP230 & AP250)?

Userlevel 6

Hey all, I’m told in the vulnerability notice that IdentiFi = ExtremeWireless. They are still working out whether or not ExtremeWireless products are affected by this issue. 

 

The release for 10.3r3 is currently scheduled for early to mid month this month, barring any unforeseen set backs before then. 

I’m a little bit confused that Extreme is still evaluating if some products are affected by these issues. Especially the older products like IdentiFi oder WLAN9100, which are still under service and for which they still receive money from customers for service and support…

Regarding https://www.fragattacks.com/ there was a 10 month disclosure period, managed by the WiFi-Alliance for manufacturers to test their equipment and produce patches. Extreme is Contributor in the WiFi-Alliance. So my colleagues, my boss and my customers, which are using these older stuff, and I are all asking ourselves one question: “What the hell did Extreme do in this period?”

Can someone from Extreme give me an official statement what had happened here exactly, that Extreme is still evaluating stuff and cannot give a clear statement if some products are affected by the CVEs? I mean, it’s not rocket science to test if a component is affected. The security engineer published a test-tool on GitHub. I’ve even tested my private equipment at home with it…

Userlevel 6

Hello all, thank you for your patience, our security team has updated the vulnerability notice today. Could you please let me know if the new additions address your questions? If not, please let me know and I’ll forward your questions on to the security team working on this. 

Reply