Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Critical Vulnerabilities Impact Ruckus Wi-Fi Routers

Multiple critical vulnerabilities in Ruckus Wi-Fi routers used throughout the world were disclosed at the 36th Chaos Communication Congress (CCC) in Leipzig, Germany, held from December 27-30, 2019.

Multiple critical vulnerabilities in Ruckus Wi-Fi routers used throughout the world were disclosed at the 36th Chaos Communication Congress (CCC) in Leipzig, Germany, held from December 27-30, 2019.

Ruckus offers high-end wirelesss networking gear that provides mesh Wi-Fi (called ‘Unleashed’) and regular routers to hundreds of thousands of customers. The mesh Wi-Fi is common in conferences (it was used at Black Hat last year), airports, hotels and other large areas that require Wi-Fi access. It is used, for example, in conjunction with Google Station to deploy public Wi-Fi hotspots throughout Sao Paulo in Brazil, and in similar configurations in India, Mexico and Indonesia. Organizations also use Ruckus to provide company-wide Wi-Fi networks.

The vulnerabilities were discovered by Gal Zror, a team leader at Aleph Research, the security research arm of HCL AppScan, and presented (YouTube) at the CCC. They comprise three different remote code execution (RCE) exploit possibilities built from information and credentials leakage, authentication bypass, command injection, path traversal, stack overflow, and arbitrary file read/write. The researchers examined the firmware of 33 different Ruckus access points and found them all to be vulnerable.

Although the devices examined were from the Ruckus Unleashed stable, Zror told SecurityWeek, “I believe the same issues will affect the Ruckus regular routers and other Ruckus devices. Without pre-authentication,” he continued, “I can run my own code on those devices. The implication is that I can upload my own malware into the router, and manipulate all the router activity, as I wish. From there I can access any other network, including the corporate network, that may be connected or may also use Ruckus devices.”

Zror reported the findings to Ruckus, who published a security advisory (PDF) on December 24, 2019. Ten different vulnerabilities have been given CVE identification numbers: CVE-2019-19834 through to CVE-2019-19843. Ruckus told SecurityWeek, “Once upgraded to the latest version, these access points will be protected against recently discovered vulnerabilities that could allow an attacker to gain unauthenticated access to ZoneDirector and Unleashed APs, as well as ZoneDirector controllers running off older firmware. As with any product, Ruckus will continue to release periodic firmware updates for its access points, including those running off ZoneDirector and Unleashed.”

The three attack scenarios discovered by Zror’s team are firstly, web interface credential disclosure and CLI jailbreak to obtain a root shell on the access point. Secondly, a stack overflow in the ‘zap’ executable makes it possible to send an unauthenticated HTTP request to the web interface. And thirdly, an arbitrary file write using the ‘zap’ executable can create a new ‘jsp’ page that does not require authentication and is vulnerable to command injection.

There are numerous threats from these vulnerabilities that — given the popularity of Ruckus devices — could potentially affect many thousands of users. The first point is that since the presence of the devices can be detected through Shodan, it will in some cases be possible to identify individual companies using Ruckus Unleashed Wi-Fi. These devices could be breached remotely via the internet, and could provide a foothold into the corporate network. Of course, in such circumstances, additional vulnerabilities would be required to cross into and traverse through the corporate network.

A second possibility could be to target a known user, either at a conference, a hotel, or waiting at an airport for a flight. Access to the traffic of that user would be easy, and even SSL encrypted traffic would be subject to DNS injection. More likely would be indiscriminate use of such techniques for large scale redirection to phishing sites to gather credentials.

However, Zror believes that the most likely use of such vulnerabilities would simply be to create mayhem. “Some of these vulnerabilities are really straightforward,” Zror told SecurityWeek. “The first one, for example, is simple to execute.” By introducing custom malware, it would be easy to take down all the Ruckus routers or access points at a specific location. For this reason, he suspects one of the biggest dangers would be unskilled script-kiddies seeking something dramatic to increase their reputation on the underground forums. Consider the bragging points available for turning off Black Hat, or making the city of Sao Paulo go dark.

“Customers that use Ruckus, or any other routers,” he told SecurityWeek, “must be aware to the possibility and danger of such vulnerabilities — and must always make sure that their devices are running the latest and most up-to-date firmware.”

Related: Remote Command Execution Vulnerability Affects Many D-Link Routers 

Related: Flaws in Ruckus Access Points Expose Organizations to Attacks 

Related: State-Sponsored Hackers Use Sophisticated DNS Hijacking in Ongoing Attacks 

Related: Flaw Gives Hackers Remote Access to Files Stored on D-Link DNS-320 Devices 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.