Ruckus Routers Found With Multiple Security Flaws

In 2014, research from Tripwire found that almost three quarters of the 50 top selling routers on Amazon.com contained security vulnerabilities, including 20 different models where the latest firmware from was found to be exploitable.

The flaws were discovered by Craig Young, a security researcher at Tripwire, who said companies using Ruckus routers could also be unknowingly at risk to compromise as intruders could stage man-in-the-middle attacks.

Enterprise security

But now, new research from Tripwire has explored whether security vulnerabilities in routers is just confined to the consumer market, or actually affects the enterprise space too.

Ruckus: in the doghouse?

“My suspicion was that feature wars and low profit margins could be contributing to the epidemic of insecure routers,” said Young.

“In an attempt to determine whether this issue was limited to the consumer market, I decided it would be necessary to obtain and evaluate a wireless router designed for enterprise networks.”

Young started his research by purchasing a cheaper, second-hand Ruckus ZoneFlex router, running the latest available firmware as of October 27 2015.

“Within a few minutes of setting up the device, I found a command injection which is exploitable through a forged request due to a general lack of CSRF tokens,” said Young.

“As with many of the consumer routers I had tested, the ZoneFlex offers administrators an option to perform diagnostics including a simple ping test, with apparently no input sanitization. In every case where I’ve found this flaw on a consumer router, it has been pretty devastating.”

Young admitted that the ZoneFlex model was at its end of life, and he naturally expected that the flaws would be fixed in later products. He was wrong.

Ping injection

“My research picked up again 12/3/2015 when I set up a Ruckus H500 access point with the latest firmware (100.1.0.0.432); I was shocked to find that the ping injection still worked! After obtaining a shell on this fully patched access point, I proceeded by creating a simple list of files contained in the web server’s document root,” he continued.

“This is a trivial process possible from either the shell access or through firmware extraction and can be supplemented by locating possible URIs embedded within the server’s binaries. In this particular case, I limited myself just to the files visible in the firmware update. I then fed this list into a script I have for crawling an HTTP server and recording which files are accessible without authentication. As was commonly the case with consumer devices, this rather simple process exposed a few flaws.”

Those flaws included authentication bypass, a denial of service flaw, and in information disclosure where the device’s serial number is exposed by the HTTP server.

“It is unclear whether this has any direct security impact but it may be useful to an attacker as part of a social engineering ploy. I have also observed other products where the serial number is used as a means to prove ownership of a device,” said Young.

He subsequently found more vulnerabilities in Ruckus access points, and said he reached out to Ruckus, at which point the company became unresponsive.

“Unlike with some vendors where it takes guess work to figure out an appropriate security contact, Ruckus has a page listing a PGP key and email address for reporting vulnerabilities. While this is normally a good sign of a responsive organization, repeated attempts to email them my report resulted in bounces,” Young explained.

“In early January 2016, about a month after I first reached out to Ruckus, I emailed several other posted addresses stating my problem reaching the security contact. A webmaster contact responded letting me know that he would get the account setup but after resending the report and asking for receipt confirmation, I heard nothing.”

While the vulnerabilities found in Ruckus hardware were similar to vulnerabilities found in the routers of other vendors, such as Netgear and ASUS, Young said that his report to Ruckus appears to have been completed ignored.

Ruckus Response

TechWeekEurope contacted Ruckus, which this week issued a security advisory in light of Tripwire’s findings.

“These vulnerabilities were first reported by Tripwire and Ruckus acknowledges them,” said the company.

“However, Ruckus would like to state that these vulnerabilities are only exploitable when AP IP & Web interface are accessible from external hosts. Most of Ruckus APs (Access points) are deployed in [a] managed environment where there is [a] WLAN controller that is managing the APs.

“Ruckus will be actively working to close these vulnerabilities with high priority.”

Quiz: What do you know about cybersecurity in 2016?

Ben Sullivan

Ben covers web and technology giants such as Google, Amazon, and Microsoft and their impact on the cloud computing industry, whilst also writing about data centre players and their increasing importance in Europe. He also covers future technologies such as drones, aerospace, science, and the effect of technology on the environment.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago