Overview
Researcher Security Advisory
Unauthorized Firmware Image Upgrade and Other Vulnerabilities in CommScope Products Discovered by Independent Researcher Aiman Al-Hadhrami, Student at UST, Sana'a, Yemen
Description
Multiple critical vulnerabilities have been discovered by independent security researcher Aiman Yahya Al-Hadhrami from the Republic of Yemen, a student at the University of Science and Technology, Sana'a. These vulnerabilities affect CommScope and Ruckus products.
The discovered issues include flaws in the Secure Boot (rfwd) mechanism and the Web GUI interface, which allow a remote attacker to bypass authentication and perform firmware upgrades using unauthorized images.
A total of 10 CVEs have been identified, with Base Scores indicating Critical Impact:
CVE-2020-22653 Base Score: 9.8 CRITICALFull device compromise: Exploits official image signature for unauthorized firmware injection and digital signature bypass.
CVE-2020-22654 Base Score: 9.8 CRITICAL
Unauthorized firmware execution: Bypasses firmware verification signature despite failed MD5 checksum.
CVE-2020-22655 Base Score: 7.5 HIGH
Persistent backdoors: Persistently writes unauthorized firmware images.
CVE-2020-22656 Base Score: 7.5 HIGH
Secure Boot bypass: Forces Secure Boot into failed attempts state (rfwd).
CVE-2020-22657 Base Score: 9.1 CRITICAL
Unauthorized management access: Bypasses Web GUI login authentication.
CVE-2020-22658 Base Score: 9.8 CRITICAL
Complete firmware takeover: Switches to unauthorized image as primary verified image.
CVE-2020-22659 Base Score: 7.5 HIGH
Firmware spoofing: Forces injection of unauthorized firmware signature.
CVE-2020-22660 Base Score: 7.5 HIGH
Unauthorized operation: Bypasses Secure Boot to run backup image.
CVE-2020-22661 Base Score: 6.5 MEDIUM
Loss of trusted backup: Erases and replaces secondary backup firmware.
CVE-2020-22662 Base Score: 7.5 HIGH
Regulatory violations, network interference: Enables illegal region codes and frequencies via command injection; creates excessive SSID interfaces.
Impact/risk
° The attacker can gain access to anywhere from thousands to millions of devices worldwide by exploiting a security vulnerability that allows them to identify these devices and their IP addresses. These devices send signals to the manufacturer, which the attacker can intercept to locate and target them. Once access is obtained, the attacker can implant modified firmware containing malicious commands to carry out cyberattacks. This firmware may also include spyware or data-stealing malware for espionage purposes. Additionally, the attacker may use these compromised devices as part of a botnet to launch DDoS attacks, overwhelming target systems with traffic.
° The vulnerabilities affected multiple devices, servers, and systems used in various sectors, including government offices, hotels, companies, and hospitals around the world.
° Full Remote Compromise: Devices can be fully and remotely controlled by an attacker.
° Illegal RF Operation: An attacker can configure the device to operate on illegal frequencies with unrestricted output power, violating air interface regulations, including FCC rules: 594280 D01, 594280 D02, and 442812 D01.
° Persistent Backdoors: An attacker can establish persistent backdoors for various malicious purposes.
° Image Spoofing: Attackers can trick customers into believing that devices are running official firmware, while in reality, they may be running unauthorized images embedded with harmful backdoors.
° Update Blocking: Future software updates can be permanently blocked by the attacker, preventing any remediation.
° Wide Coverage: These vulnerabilities affect all product models and all software versions released from 2014 up to the latest releases in 2020.
Affected Products
Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100) before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200
10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151,
The following table outlines the vulnerable Ruckus products, the affected software versions, and the recommended mitigation actions:
vulnerable products | Vulnerable Releases | Fixed Release | Patch Release Date |
ZoneDirector | 10.0.x and before | Upgrade to 10.0.1.0.93 | Feb 18, 2020 |
10.1.x | Upgrade to 10.1.2.0.277 | Feb 14, 2020 |
10.2.x | Upgrade to 10.2.1.0.159 | Feb 25, 2020 |
10.3.x | Upgrade to 10.3.1.0.24 | Feb 25, 2020 |
10.4.x | Upgrade to 10.4.0.0.70 | Feb 21, 2020 |
SmartZone | 3.4.2 | For Vulnerable v/SZ Release 3.4.2, upgrade to 3.4.2 Patch-4 build 3.4.2.0.245; and then customer will be to able apply AP Patch scg-ap-3.4.2.0- 911.patch to an AP zone. |
Feb 25, 2020 |
3.6.2 | For Vulnerable v/SZ Release 3.6.2, upgrade to 3.6.2 Patch-2 build 3.6.2.0.250; and then customer will be able to apply AP Patch scg-ap-3.6.2.0- 765.patch to an AP zone. |
Feb 25, 2020 |
5.0, 5.1 | For Vulnerable v/SZ Releases 5.0 and 5.1, upgrade to 5.2 GA Refresh build 5.2.0.0.699; and then customer will be able to apply AP Patch scg-ap-5.2.0.0- 5010.patch to an AP zone. |
Feb 25, 2020 |
5.2 | For Vulnerable v/SZ Release 5.2 GA Refresh build 5.2.0.0.699 ; customer will be able to apply AP Patch scg-ap-5.2.0.0- 5010.patch to an AP zone. |
Feb 25, 2020 |
Cloud | 5.1.1 | No end-user action required | Feb 29, 2020 |
Unleashed C110 AP | All version | TBD | TBD |
Unleashed E510 AP | All version | TBD | TBD |
Unleashed H320 AP | All version | TBD | TBD |
Unleashed H510 AP | All version | TBD | TBD |
Unleashed M510 AP | All version | TBD | TBD |
Unleashed R320 AP | All version | TBD | TBD |
Unleashed R310 AP | All version | out of software support. | End of Life |
Unleashed R500 AP | All version | out of software support. | End of Life |
Unleashed R510 AP | All version | TBD | TBD |
Unleashed R600 AP | All version | out of software support. | End of Life |
Unleashed R610 AP | All version | TBD | TBD |
Unleashed R710 AP | All version | TBD | TBD |
Unleashed R720 AP | All version | TBD | TBD |
Unleashed R750 AP | All version | TBD | TBD |
Unleashed T300 AP | All version | out of software support. | End of Life |
Unleashed T300e AP | All version | out of software support. | End of Life |
Unleashed T301n AP | All version | out of software support. | End of Life |
Unleashed T301s AP | All version | out of software support. | End of Life |
Unleashed T310c AP | All version | TBD | TBD |
Unleashed T310d AP | All version | TBD | TBD |
Unleashed T310n AP | All version | TBD | TBD |
Unleashed T310s AP | All version | TBD | TBD |
Unleashed T610 AP | All version | TBD | TBD |
Unleashed T710 AP | All version | TBD | TBD |
Unleashed T710s AP | All version | TBD | TBD |
Solo C110 AP | All version | TBD | TBD |
Solo C500 AP | All version | out of software support. | End of Life |
Solo H500 AP | All version | out of software support. | End of Life |
Solo E510 AP | All version | TBD | TBD |
Solo R300 AP | All version | out of software support. | End of Life |
Solo H320 AP | All version | TBD | TBD |
Solo H510 AP | All version | TBD | TBD |
Solo M510 AP | All version | TBD | TBD |
Solo R320 AP | All version | TBD | TBD |
Solo R310 AP | All version | Upgrade to 110.0.0.0.2005 | Feb 28, 2020 |
Solo R500 AP | All version | Upgrade to 110.0.0.0.2005 | Feb 28, 2020 |
Solo R500e AP | All version | Upgrade to 110.0.0.0.2005 | Feb 28, 2020 |
Solo R510 AP | All version | TBD | TBD |
Solo R600 AP | All version | Upgrade to 110.0.0.0.2005 | Feb 28, 2020 |
Solo R610 AP | All version | TBD | TBD |
Solo R700 AP | All version | out of software support. | EOL |
Solo R710 AP | All version | TBD | TBD |
Solo R720 AP | All version | TBD | TBD |
Solo R750 AP | All version | TBD | TBD |
Solo T300 AP | All version | Upgrade to 110.0.0.0.2005 | Feb 28, 2020 |
Solo T300e AP | All version | Upgrade to 110.0.0.0.2005 | Feb 28, 2020 |
Solo T301n AP | All version | Upgrade to 110.0.0.0.2005 | Feb 28, 2020 |
Solo T301s AP | All version | Upgrade to 110.0.0.0.2005 | Feb 28, 2020 |
Solo T310c AP | All version | TBD | TBD |
Solo T310d AP | All version | TBD | TBD |
Solo T310n AP | All version | TBD | TBD |
Solo T310s AP | All version | TBD | TBD |
Solo T610 AP | All version | TBD | TBD |
Solo T710 AP | All version | TBD | TBD |
Solo T710s AP | All version | TBD | TBD |
Solo T504 AP | All version | Upgrade to 110.0.0.0.2005 | Feb 28, 2020 |
Solo P300 AP | All version | Upgrade to 110.0.0.0.2005 | Feb 28, 2020 |
Solo ZFsc8800s AP | All version | out of software support. | End of Life |
Solo ZFsc8800ac AP | All version | out of software support. | End of Life |
Solo ZF7321 AP | All version | out of software support. | End of Life |
Solo ZF7321u AP | All version | out of software support. | End of Life |
Solo ZF7341 AP | All version | out of software support. | End of Life |
Solo ZF7343 AP | All version | out of software support. | End of Life |
Solo ZF7351 AP | All version | out of software support. | End of Life |
Solo ZF7352 AP | All version | out of software support. | End of Life |
Solo ZF7363 AP | All version | out of software support. | End of Life |
Solo ZF7372 AP | All version | out of software support. | End of Life |
Solo ZF7372E AP | All version | out of software support. | End of Life |
Solo ZF7441 AP | All version | out of software support. | End of Life |
Solo ZF7025 AP | All version | out of software support. | End of Life |
Solo ZF7055 AP | All version | out of software support. | End of Life |
Solo ZF7761cm AP | All version | out of software support. | End of Life |
Solo ZF7762 AP | All version | out of software support. | End of Life |
Solo ZF7762AC AP | All version | out of software support. | End of Life |
Solo ZF7762N AP | All version | out of software support. | End of Life |
Solo ZF7762S AP | All version | out of software support. | End of Life |
Solo ZF7762S-AC AP | All version | out of software support. | End of Life |
Solo ZF7762t AP | All version | out of software support. | End of Life |
Solo ZF7781cm AP | All version | out of software support. | End of Life |
Solo ZF7781cm-E AP | All version | out of software support. | End of Life |
Solo ZF7781cm-S AP | All version | out of software support. | End of Life |
Solo ZF7781fn AP | All version | out of software support. | End of Life |
Solo ZF7781fn-E AP | All version | out of software support. | End of Life |
Solo ZF7781M AP | All version | out of software support. | End of Life |
Solo ZF7781S AP | All version | out of software support. | End of Life |
Solo ZF7782 AP | All version | out of software support. | End of Life |
Solo ZF7782E AP | All version | out of software support. | End of Life |
Solo ZF7782N AP | All version | out of software support. | End of Life |
Solo ZF7782S AP | All version | out of software support. | End of Life |
Solo ZF2741 AP | All version | out of software support. | End of Life |
Solo ZF2741E AP | All version | out of software support. | End of Life |
Solo ZF2942 AP | All version | out of software support. | End of Life |
Solo ZF7982 AP | All version | out of software support. | End of Life |
Solo ZF7962 AP | All version | out of software support. | End of Life |
Solo ZF7942 AP | All version | out of software support. | End of Life |
Solution
- Ruckus has released patches for some products and is in the process of developing and releasing software fixes for all affected products. We recommend installing these updates as soon as they become available.
- Ruckus EOL (End-of-Life) Products will not receive fix patches.
No comments:
Post a Comment