Sunday, March 29, 2020

Vulnerabilities in Ruckus Network Products


Overview

Researcher Security Advisory Several Security Flaws in CommScope Products Discovered by Independent Researcher Aiman Al-Hadhrami, a Student at UST, Sana'a, Yemen.



Description

Multiple critical vulnerabilities have been discovered by independent security researcher Aiman Yahya Al-Hadhrami from the Republic of Yemen, a student at the University of Science and Technology, Sana'a. These vulnerabilities affect CommScope and Ruckus products.

The discovered issues include flaws in the Secure Boot mechanism and the Web GUI interface, which allow a remote attacker to bypass authentication and perform firmware upgrades using unauthorized images.


A total of 10 CVEs have been identified, with Base Scores indicating Critical Impact:

CVE-2020-22653   Base Score 9.8 CRITICAL
Full device compromise: Exploits official image signature for unauthorized firmware injection and digital signature bypass.

CVE-2020-22654   Base Score:  9.8 CRITICAL
CVE-2020-22656   Base Score:  7.5 HIGH
 Secure Boot bypass: Forces Secure Boot into failed attempts state (rfwd).

CVE-2020-22657   Base Score:  9.1 CRITICAL
Unauthorized management access: Bypasses Web GUI login authentication.

CVE-2020-22658   Base Score:   9.8 CRITICAL
Complete firmware takeover: Switches to unauthorized image as primary verified image.

CVE-2020-22659   Base Score:  7.5 HIGH
Firmware spoofing: Forces injection of unauthorized  firmware signature.

CVE-2020-22660   Base Score:  7.5 HIGH
Unauthorized operation: Bypasses Secure Boot to run backup image.

CVE-2020-22661   Base Score:  6.5 MEDIUM
Loss of trusted backup: Erases and replaces secondary backup firmware.

CVE-2020-22662   Base Score:  7.5 HIGH
Regulatory violations, network interference: Enables illegal region codes and frequencies via command injection; creates excessive SSID interfaces.


Impact/Risk

° The attacker can gain access to anywhere from thousands to millions of devices worldwide by exploiting a security vulnerability that allows them to identify these devices and their IP addresses. These devices send signals to the manufacturer, which the attacker can intercept to locate and target them. Once access is obtained, the attacker can implant modified firmware containing malicious commands to carry out cyberattacks. This firmware may also include spyware or data-stealing malware for espionage purposes. Additionally, the attacker may use these compromised devices as part of a botnet to launch DDoS attacks, overwhelming target systems with traffic.

° The vulnerabilities affected multiple devices, servers, and systems used in various sectors, including government offices, airports, hotels, companies, and hospitals around the world. If an attacker exploits these vulnerabilities in the healthcare sector, it could lead to severe consequences, including the disruption of medical devices and access to healthcare systems. Such attacks could cripple hospital network infrastructure, resulting in delays in medical procedures and critical care. In worst-case scenarios, this may lead to breaches of emergency systems, operating rooms, and intensive care units, potentially causing loss of lives.

° Illegal RF Operation: An attacker can configure the device to operate on illegal frequencies with unrestricted output power, violating air interface regulations, including FCC rules: 594280 D01, 594280 D02, and 442812 D01. Exploiting this vulnerability in sensitive locations such as airports could lead to severe consequences, including interference with radar systems and other critical communication channels, potentially causing operational disruptions and safety hazards.

° Attackers can remotely take over systems, compromising them from the lowest operating and security layers up to the highest levels, resulting in complete device compromises that victims—including even the manufacturer—cannot recover from without the attacker’s cooperation.
Moreover, neither the victims nor even the manufacturer can detect that the system is under unauthorized control, as the attacker’s code carries a signature that appears to have been legitimately issued by the company.

° Full remote compromise allows devices to be fully and remotely controlled by an attacker. Persistent backdoors can be implanted for various malicious purposes. Furthermore, future software updates can be permanently blocked by the attacker, preventing any remediation, and in the worst cases, the attacker may even brick the devices beyond repair, necessitating their complete replacement.


Responsible Disclosure


All discovered vulnerabilities were responsibly reported directly to CommScope Inc and its affiliated companies, providing them with full technical details necessary for understanding, reproducing, and fixing the issues. No exploit code or sensitive technical steps have ever been published or shared publicly, to protect critical infrastructure and prevent misuse.

Affected Products

Ruckus R310 10.5.1.0.199, Ruckus R500 10.5.1.0.199, Ruckus R600 10.5.1.0.199, Ruckus T300 10.5.1.0.199, Ruckus T301n 10.5.1.0.199, Ruckus T301s 10.5.1.0.199, SmartCell Gateway 200 (SCG200) before 3.6.2.0.795, SmartZone 100 (SZ-100)  before 3.6.2.0.795, SmartZone 300 (SZ300) before 3.6.2.0.795, Virtual SmartZone (vSZ) before 3.6.2.0.795, ZoneDirector 1100 9.10.2.0.130, ZoneDirector 1200 
10.2.1.0.218, ZoneDirector 3000 10.2.1.0.218, ZoneDirector 5000 10.0.1.0.151.

The following table outlines the vulnerable Ruckus products, the affected software versions, and the recommended mitigation actions:


vulnerable      products
Vulnerable      Releases
  Fixed Release
Patch
Release Date



ZoneDirector
10.0.x and before
Upgrade to 10.0.1.0.93
Feb 18, 2020
10.1.x
Upgrade to 10.1.2.0.277
Feb 14, 2020
10.2.x
Upgrade to 10.2.1.0.159
Feb 25, 2020
10.3.x
Upgrade to 10.3.1.0.24
Feb 25, 2020
10.4.x
Upgrade to 10.4.0.0.70
Feb 21, 2020











SmartZone
3.4.2
For Vulnerable v/SZ Release
3.4.2, upgrade to 3.4.2 Patch-4 build
3.4.2.0.245; and then customer will be to
able apply AP Patch scg-ap-3.4.2.0-
911.patch to an AP zone.




Feb 25, 2020
3.6.2
For Vulnerable v/SZ Release
3.6.2, upgrade to 3.6.2 Patch-2 build
3.6.2.0.250; and then customer will be
able to apply AP Patch scg-ap-3.6.2.0-
765.patch to an AP zone.



Feb 25, 2020
5.0, 5.1
For Vulnerable v/SZ Releases 5.0 and 5.1,
upgrade to 5.2 GA Refresh build
5.2.0.0.699; and then customer will be
able to apply AP Patch scg-ap-5.2.0.0-
5010.patch to an AP zone.



Feb 25, 2020
5.2
For Vulnerable v/SZ Release 5.2 GA
Refresh build 5.2.0.0.699 ; customer will
be able to apply AP Patch scg-ap-5.2.0.0-
5010.patch to an AP zone.


Feb 25, 2020
Cloud
5.1.1
No end-user action required
Feb 29, 2020
Unleashed C110 AP
All version
TBD
TBD
Unleashed E510 AP
All version
TBD
TBD
Unleashed H320 AP
All version
TBD
TBD
Unleashed H510 AP
All version
TBD
TBD
Unleashed M510 AP
All version
TBD
TBD
Unleashed R320 AP
All version
TBD
TBD
Unleashed R310 AP
All version
out of software support.
End of Life
Unleashed R500 AP
All version
out of software support.
End of Life
Unleashed R510  AP
All version
TBD
TBD
Unleashed R600 AP
All version
out of software support.
End of Life
Unleashed R610 AP
All version
TBD
TBD
Unleashed R710 AP
All version
TBD
TBD
Unleashed R720 AP
All version
TBD
TBD
Unleashed R750 AP
All version
TBD
TBD
Unleashed T300 AP
All version
out of software support.
End of Life
Unleashed T300e AP
All version
out of software support.
End of Life
Unleashed T301n AP
All version
out of software support.
End of Life
Unleashed T301s AP
All version
out of software support.
End of Life
Unleashed T310c AP
All version
TBD
TBD
Unleashed T310d AP
All version
TBD
TBD
Unleashed T310n AP
All version
TBD
TBD
Unleashed T310s AP
All version
TBD
TBD
Unleashed T610 AP
All version
TBD
TBD
Unleashed T710 AP
All version
TBD
TBD
Unleashed T710s AP
All version
TBD
TBD
Solo C110 AP
All version
TBD
TBD
Solo C500 AP
All version
out of software support.
End of Life
Solo H500 AP
All version
out of software support.
End of Life
Solo E510 AP
All version
TBD
TBD
Solo R300 AP
All version
out of software support.
End of Life
Solo H320 AP
All version
TBD
TBD
Solo H510 AP
All version
TBD
TBD
Solo M510 AP
All version
TBD
TBD
Solo R320 AP
All version
TBD
TBD
Solo R310 AP
All version
Upgrade to 110.0.0.0.2005
Feb 28, 2020
Solo R500 AP
All version
Upgrade to 110.0.0.0.2005
Feb 28, 2020
Solo R500e AP
All version
Upgrade to 110.0.0.0.2005
Feb 28, 2020
Solo R510  AP
All version
TBD
TBD
Solo R600 AP
All version
Upgrade to 110.0.0.0.2005
Feb 28, 2020
Solo R610 AP
All version
TBD
TBD
Solo R700 AP
All version
out of software support.
EOL
Solo R710 AP
All version
TBD
TBD
Solo R720 AP
All version
TBD
TBD
Solo R750 AP
All version
TBD
TBD
Solo T300 AP
All version
Upgrade to 110.0.0.0.2005
Feb 28, 2020
Solo T300e AP
All version
Upgrade to 110.0.0.0.2005
Feb 28, 2020
Solo T301n AP
All version
Upgrade to 110.0.0.0.2005
Feb 28, 2020
Solo T301s AP
All version
Upgrade to 110.0.0.0.2005
Feb 28, 2020
Solo T310c AP
All version
TBD
TBD
Solo T310d AP
All version
TBD
TBD
Solo T310n AP
All version
TBD
TBD
Solo T310s AP
All version
TBD
TBD
Solo T610 AP
All version
TBD
TBD
Solo T710 AP
All version
TBD
TBD
Solo T710s AP
All version
TBD
TBD
Solo T504 AP
All version
Upgrade to 110.0.0.0.2005
Feb 28, 2020
Solo P300 AP
All version
Upgrade to 110.0.0.0.2005
Feb 28, 2020
Solo ZFsc8800s AP
All version
out of software support.
End of Life
Solo ZFsc8800ac AP
All version
out of software support.
End of Life
Solo ZF7321 AP
All version
out of software support.
End of Life
Solo ZF7321u AP
All version
out of software support.
End of Life
Solo ZF7341 AP
All version
out of software support.
End of Life
Solo ZF7343 AP
All version
out of software support.
End of Life
Solo ZF7351 AP
All version
out of software support.
End of Life
Solo ZF7352 AP
All version
out of software support.
End of Life
Solo ZF7363 AP
All version
out of software support.
End of Life
Solo ZF7372 AP
All version
out of software support.
End of Life
Solo ZF7372E AP
All version
out of software support.
End of Life
Solo ZF7441 AP
All version
out of software support.
End of Life
Solo ZF7025 AP
All version
out of software support.
End of Life
Solo ZF7055 AP
All version
out of software support.
End of Life
Solo ZF7761cm AP
All version
out of software support.
End of Life
Solo ZF7762 AP
All version
out of software support.
End of Life
Solo ZF7762AC AP
All version
out of software support.
End of Life
Solo ZF7762N AP
All version
out of software support.
End of Life
Solo ZF7762S AP
All version
out of software support.
End of Life
Solo ZF7762S-AC AP
All version
out of software support.
End of Life
Solo ZF7762t AP
All version
out of software support.
End of Life
Solo ZF7781cm AP
All version
out of software support.
End of Life
Solo ZF7781cm-E AP
All version
out of software support.
End of Life
Solo
ZF7781cm-S AP
All version
out of software support.
End of Life
Solo ZF7781fn AP
All version
out of software support.
End of Life
Solo ZF7781fn-E AP
All version
out of software support.
End of Life
Solo ZF7781M AP
All version
out of software support.
End of Life
Solo ZF7781S AP
All version
out of software support.
End of Life
Solo ZF7782 AP
All version
out of software support.
End of Life
Solo ZF7782E AP
All version
out of software support.
End of Life
Solo ZF7782N AP
All version
out of software support.
End of Life
Solo ZF7782S AP
All version
out of software support.
End of Life
Solo ZF2741 AP
All version
out of software support.
End of Life
Solo ZF2741E AP
All version
out of software support.
End of Life
Solo ZF2942 AP
All version
out of software support.
End of Life
Solo ZF7982 AP
All version
out of software support.
End of Life
Solo ZF7962 AP
All version
out of software support.
End of Life
Solo ZF7942 AP
All version
out of software support.
End of Life


Solution

  • CommScope has released patches for some products and is in the process of developing and releasing software fixes for all affected products. We recommend installing these updates as soon as they become available.

  • EOL (End-of-Life) Products will not receive fix patches.

Aiman Al-Hadhrami — Independent Cybersecurity Researcher 

 

at

No comments:

Post a Comment