ExtremeCloud IQ

 Fragattacks

Jump to Best Answer
dpanev's profile image
dpanev posted 05-12-2021 07:26

Hey Guys,

are extreme ap’s infected of this open door? If so, is there a workaround or a hotfix coming?

 

Regards,

 

StephanH's profile image
StephanH

Hello,

in addition to dpanev's question, here is the background:

https://www.fragattacks.com/

schuert's profile image
schuert

Hi!

I second that. I’m using a bunch of c5215 controller and ap3935 access points and would really like to know if I’m affected, possible workarounds and if we can expect a security update for those.

 

Best regards

a.huerzeler's profile image
a.huerzeler

 Would be great if Extreme could publish a communique how they will deal with the vulnerabilities published by https://twitter.com/vanhoefm https://www.fragattacks.com/ would be nice to have an official statement once customers start asking questions.

Sam Pirok's profile image
Sam Pirok

Hi guys, thanks for the mention, I just posted our vulnerability notice regarding the FragAttacks here: 

 

Please let me know if you have additional questions and I’ll do my best to get you answers quickly. 

StephanH's profile image
StephanH

Hello​​​​​​ ,

in my opinion in the KB article referenced by you, Identifi products are missing in the table.

Sam Pirok's profile image
Sam Pirok

Thanks for letting me know , I spoke with the IdentiFi team and they told me this is a typo. They are updating the notice now. 

dpanev's profile image
dpanev

The Articles only mentions ax and ac AP’s. What about 802.11n Release dates?

StephanH's profile image
StephanH

Hello dpanev,

the Identifi pre ac APs are EoL since end of 2020. Therefore there will be no update.

dpanev's profile image
dpanev

Okay thanks Stephan

adrian.stewart's profile image
adrian.stewart

Is there a release date for IQ Engine 10.3r3 for Wave 1 and Wave 2 AC (AP230 & AP250)?

Sam Pirok's profile image
Sam Pirok

Hey all, I’m told in the vulnerability notice that IdentiFi = ExtremeWireless. They are still working out whether or not ExtremeWireless products are affected by this issue. 

 

The release for 10.3r3 is currently scheduled for early to mid month this month, barring any unforeseen set backs before then. 

mfluechter's profile image
mfluechter

I’m a little bit confused that Extreme is still evaluating if some products are affected by these issues. Especially the older products like IdentiFi oder WLAN9100, which are still under service and for which they still receive money from customers for service and support…

Regarding https://www.fragattacks.com/ there was a 10 month disclosure period, managed by the WiFi-Alliance for manufacturers to test their equipment and produce patches. Extreme is Contributor in the WiFi-Alliance. So my colleagues, my boss and my customers, which are using these older stuff, and I are all asking ourselves one question: “What the hell did Extreme do in this period?”

Can someone from Extreme give me an official statement what had happened here exactly, that Extreme is still evaluating stuff and cannot give a clear statement if some products are affected by the CVEs? I mean, it’s not rocket science to test if a component is affected. The security engineer published a test-tool on GitHub. I’ve even tested my private equipment at home with it…

Sam Pirok's profile image
Sam Pirok

Hello all, thank you for your patience, our security team has updated the vulnerability notice today. Could you please let me know if the new additions address your questions? If not, please let me know and I’ll forward your questions on to the security team working on this. 

markus.dach's profile image
markus.dach

Hi Sam, there is still no schedule for fixes on 38xx APs beside the 3805 model on the official vulnerability- notice page. When will patches for this series of APs (especially the 3825i/e series) be available?

Sam Pirok's profile image
Sam Pirok

Hi , I reached out to the security team with your question and I’m told there is an update coming later today that will address the 38xx AP plan. I’ll check back with you tomorrow to make sure that information covers what you’re looking for. 

markus.dach's profile image
markus.dach

Hi Sam, thank you very much for your actions on this, do you have any new details? Ohter APs than the 3805 are still not mentioned in the schedule for hotfixes.

Sam Pirok's profile image
Sam Pirok

Hi , sorry for the delay there, the update went out this morning. The part I think you’re looking for specifically would be: 

  • 10.51.20 (38xx models) [End of July 2021]

Is that what you needed? If you need any further information please let me know and I’ll be happy to look in to it for you. 

markus.dach's profile image
markus.dach

Thank you Sam, now the Article is also updated.

markus.dach's profile image
markus.dach

Hi Sam, now the Firmware 10.51.20 is released,

I’m wondering if all APs in the 38xx range are now fixed- in the release notes only the 3805 and 3825 models are mentioned, whats about the other models ( e.g. AP3865e )?:

Enhancements in 10.51.20.0003: wns0022969 Added Security Vulnerabilities (QCA) patch for AP 38xx (3805 & 3825) models

Are you able to check if all other models are also fixed?

Sam Pirok's profile image
Sam Pirok

Hi , I ran this past our security team this morning and I’m told the VN has updates that now address the AP3865e as well. To summarize, those models are also fixed in that release. Please don’t hesitate to let me know if I can clarify anything else! 

systemscsn's profile image
systemscsn

I have many AP650’s running 10.0.r5 and quite a few AP1130 running 8.2r4

in checking the vulnerability notice, im a bit confused.  this part:

  • 8.2r11 (AC Wave 1 and Wave 2 APs - AP30 (ATOM), AP122, AP122X, AP130, AP150W, AP230, AP245X/AP250, AP550, AP1130) [TBD]
  • 10.3r3 (AC Wave 1 and Wave 2 APs - AP30 (ATOM), AP122, AP122X, AP130, AP150W, AP230, AP245X/AP250, AP550, AP1130)

You have TBD on the AP1130 for 8.2r11 but dont have that for the 10.3r3.  Does that mean the AP1130’s will take 10.3r3 ?

 

Also, i have found 10.0.r5 and 8.2r4 to be the most stable for those AP’s, do you have plans on just doing an “a” patch version of them?  as in 8.2r4a and 10.0r5a ?

 

thanks much as always,

Jason.

Sam Pirok's profile image
Sam Pirok

Hi Jason, I don’t think that TBD was specific to the AP1130 but I’ll have to confirm that. 

 

Yes, 10.3.3 will work with an AP 1130. 

 

I’m not aware of any plans to add a .a version for those firmware lines, but I’ll ask around and let you know if I find anything that says differently. 

Sam Pirok's profile image
Sam Pirok

Hey all, just wanted to let you all know there was another update to the Vulnerability Notice today, some new firmware dates and versions in there now. Please let me know if we can clarify anything!