Multiple critical vulnerabilities in Ruckus Wi-Fi routers used throughout the world were disclosed at the 36th Chaos Communication Congress (CCC) in Leipzig, Germany, held from December 27-30, 2019.
Ruckus offers high-end wirelesss networking gear that provides mesh Wi-Fi (called ‘Unleashed’) and regular routers to hundreds of thousands of customers. The mesh Wi-Fi is common in conferences (it was used at Black Hat last year), airports, hotels and other large areas that require Wi-Fi access. It is used, for example, in conjunction with Google Station to deploy public Wi-Fi hotspots throughout Sao Paulo in Brazil, and in similar configurations in India, Mexico and Indonesia. Organizations also use Ruckus to provide company-wide Wi-Fi networks.
The vulnerabilities were discovered by Gal Zror, a team leader at Aleph Research, the security research arm of HCL AppScan, and presented (YouTube) at the CCC. They comprise three different remote code execution (RCE) exploit possibilities built from information and credentials leakage, authentication bypass, command injection, path traversal, stack overflow, and arbitrary file read/write. The researchers examined the firmware of 33 different Ruckus access points and found them all to be vulnerable.
Although the devices examined were from the Ruckus Unleashed stable, Zror told SecurityWeek, “I believe the same issues will affect the Ruckus regular routers and other Ruckus devices. Without pre-authentication,” he continued, “I can run my own code on those devices. The implication is that I can upload my own malware into the router, and manipulate all the router activity, as I wish. From there I can access any other network, including the corporate network, that may be connected or may also use Ruckus devices.”
Zror reported the findings to Ruckus, who published a security advisory (PDF) on December 24, 2019. Ten different vulnerabilities have been given CVE identification numbers: CVE-2019-19834 through to CVE-2019-19843. Ruckus told SecurityWeek, “Once upgraded to the latest version, these access points will be protected against recently discovered vulnerabilities that could allow an attacker to gain unauthenticated access to ZoneDirector and Unleashed APs, as well as ZoneDirector controllers running off older firmware. As with any product, Ruckus will continue to release periodic firmware updates for its access points, including those running off ZoneDirector and Unleashed.”
The three attack scenarios discovered by Zror’s team are firstly, web interface credential disclosure and CLI jailbreak to obtain a root shell on the access point. Secondly, a stack overflow in the ‘zap’ executable makes it possible to send an unauthenticated HTTP request to the web interface. And thirdly, an arbitrary file write using the ‘zap’ executable can create a new ‘jsp’ page that does not require authentication and is vulnerable to command injection.
There are numerous threats from these vulnerabilities that — given the popularity of Ruckus devices — could potentially affect many thousands of users. The first point is that since the presence of the devices can be detected through Shodan, it will in some cases be possible to identify individual companies using Ruckus Unleashed Wi-Fi. These devices could be breached remotely via the internet, and could provide a foothold into the corporate network. Of course, in such circumstances, additional vulnerabilities would be required to cross into and traverse through the corporate network.
A second possibility could be to target a known user, either at a conference, a hotel, or waiting at an airport for a flight. Access to the traffic of that user would be easy, and even SSL encrypted traffic would be subject to DNS injection. More likely would be indiscriminate use of such techniques for large scale redirection to phishing sites to gather credentials.
However, Zror believes that the most likely use of such vulnerabilities would simply be to create mayhem. “Some of these vulnerabilities are really straightforward,” Zror told SecurityWeek. “The first one, for example, is simple to execute.” By introducing custom malware, it would be easy to take down all the Ruckus routers or access points at a specific location. For this reason, he suspects one of the biggest dangers would be unskilled script-kiddies seeking something dramatic to increase their reputation on the underground forums. Consider the bragging points available for turning off Black Hat, or making the city of Sao Paulo go dark.
“Customers that use Ruckus, or any other routers,” he told SecurityWeek, “must be aware to the possibility and danger of such vulnerabilities — and must always make sure that their devices are running the latest and most up-to-date firmware.”