cancel
Showing results for 
Search instead for 
Did you mean: 
SamPirok
Community Manager Community Manager
Community Manager

A set of new vulnerabilities known as “FragAttacks” has been announced and these vulnerabilities affect WiFi communications and implementations. Broadly speaking, there are a total of 12 vulnerabilities, and three of them affect the WiFi design standard itself whereas the others affect specific implementations. Although CVSS scoring is not available yet as of this writing, it is likely the design flaws are the most serious and will require patches across nearly every WiFi implementation. The other vulnerabilities may also impact WiFi products, but these will be more limited in nature. The original source of information on FragAttacks can be found here: https://www.fragattacks.com/

 

You can read Extreme Networks full Vulnerability Notice here: https://extremeportal.force.com/ExtrArticleDetail?an=000095779

16 Comments
bpowers
Contributor

Sam,

 

Do you know if the patched HiveOS will be available to any/all who request it?  If so, do you happen to have a ballpark timeframe on when HiveOS 10.3r3 will be available?  And do you reckon it might work on legacy HM platforms?  I’ve had success getting the 10.x HiveOS code versions working on the legacy 8.x on-prem HMs in the past.  

 

Thanks,

 

Brian

PeterK
Contributor III

When will Extreme update the information for products, which are under investigation?

w1f1n00b
Contributor II

I see the IQEngine info has been updated for the Vulnerability Notice. Any word if the 10.0 line of firmware is affected? Being as several current devices do not support 10.2/3 FW family, this is information we need to know.

SamPirok
Community Manager Community Manager
Community Manager

Hey everyone, just wanted to let you know I am working on getting you all answers. I’ve heard back from the security team that they are working on another VN update that should address all of your questions, I’ll let you know as soon as I hear that is available. 

SamPirok
Community Manager Community Manager
Community Manager

Hey all, thank you for your patience here. The Vulnerability Notice has been updated, you can view the latest version here: Vulnerability Notice: VN-2021-460 – “FragAttacks” WiFi Vulnerabilities | Extreme Portal (force.com)

Summary: 

A set of new vulnerabilities known as “FragAttacks” has been announced and these vulnerabilities affect WiFi communications and implementations. Broadly speaking, there are a total of 12 vulnerabilities, and three of them affect the WiFi design standard itself whereas the others affect specific implementations. Although CVSS scoring is not available yet as of this writing, it is likely the design flaws are the most serious and will require patches across nearly every WiFi implementation. The other vulnerabilities may also impact WiFi products, but these will be more limited in nature. The original source of information on “FragAttacks” can be found here: https://www.fragattacks.com/

 

 

If the update does not address your question, or if you have any additional questions, please let me know and I’ll continue to look in to this for you. 

w1f1n00b
Contributor II

This raises a few more questions

IQEngine/HiveOS - For Broadcom-based APs, fixed in:
•    8.2r11 (AC Wave 1 and Wave 2 APs - AP30 (ATOM), AP122, AP122X, AP130, AP150W, AP230, AP245X/AP250, AP550, AP1130) [TBD]
•    10.3r2 (AX APs – AP650, AP302W, AP305C/X, AP410C, AP460C, AP510C)
•    10.3r3 (AC Wave 1 and Wave 2 APs - AP30 (ATOM), AP122, AP122X, AP130, AP150W, AP230, AP245X/AP250, AP550, AP1130) [Second week of June]

 

Is this saying these vulnerabilities will be fixed in 8.2r11 (not yet released?)

Still no word on the 10.0 line of firmware

10.3r3 is listing AP models that up until now have not been supported by the 10.3 line of firmware. Is this changing with r3?

 

SamPirok
Community Manager Community Manager
Community Manager

Thanks for the additional questions, the response from our security team was: 

Yes, the vulnerabilities are fixed in 8.2r11. The remaining guidance stands as well – 10.0 will be moving to 10.3r3 for Broadcom-based AP’s.

PeterK
Contributor III

I think it's not a good achievement that, after more than a week, Extreme still has no information about the vulnerability of some solutions/product families. Especially solutions that are used by long-term enterprise customers.

We as Partner were asked by our customers nearly every day and can’t give them a answer.

PeterK
Contributor III

Customers are still waiting for information about Identifi

SamPirok
Community Manager Community Manager
Community Manager

Hi all, I’ve been told that IdentiFi = ExtremeWireless in the notice we’re discussing, and that our security team has not yet determined if these devices will be impacted but they are still looking in to it. 

GTM-P2G8KFN