topic Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack in RUCKUS Cloud

SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

li_xiang — Mon, 05 Jul 2021 11:08:22 GMT

I am a security researcher from Baidu，Recently, we have detected a large number of hacking incidents from ddos attacks initiated on the UDP9001 port on the SmartZone-100 device. Great harm!!!

Refer to my screenshot for details.my phone number is 18903860673

My email address is 18903860673@163.com， I come from Baidu in China，Hope you guys get back to me as soon as possible，

Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

Anonymous — Mon, 05 Jul 2021 11:18:19 GMT

Hello li_xiang,

We use port 9001 for Elastic Search DB update and also sync with member node in the vSZ/SZ Cluster. Please feel free to report a case with us for further investigation. Also make sure to mention the current firmware running on the SZ.

Regards,

Parikshith

Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

li_xiang — Mon, 05 Jul 2021 11:39:54 GMT

@parikshith_nagaraj_aa0004 Can you tell me the business situation? What is the relationship between SmartZone-100 and ES, and why will ES services be deployed on SmartZone-100? At present, these SmartZone-100 devices still have problems. Port 9001 can accept any UDP request to respond to very large data packets, which will be used by hackers.

Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

Anonymous — Mon, 05 Jul 2021 12:06:51 GMT

Hi @li_xiang,

As per the design, ES helps fetch data from Cassandra DB and present it to Web GUI. Also maintains the DB between different SZ Nodes in the cluster.

As suggested please feel free to report a case for further investigation.

Regards,

Parikshith

Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

li_xiang — Mon, 05 Jul 2021 12:15:39 GMT

@parikshith_nagaraj_aa0004 Is the ES deployed on SZ an ES service or a plug-in

Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

Anonymous — Mon, 05 Jul 2021 12:19:20 GMT

@li_xiang, Yes, we have ES Service deployed on SZ. If you run "Show service" from CLI, should be able to see the status.

Regards,

Parikshith

Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

syamantakomer — Mon, 05 Jul 2021 21:22:12 GMT

Hi Li,

Our security team has been notified to review this.

Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

li_xiang — Tue, 06 Jul 2021 07:28:39 GMT

@parikshith_nagaraj_aa0004 udp9001 is filebeat plugin？？？

Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

li_xiang — Tue, 06 Jul 2021 07:30:21 GMT

@parikshith_nagaraj_aa0004 could you tell me the Software version of filebeat？

Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

li_xiang — Tue, 06 Jul 2021 12:48:57 GMT

@syamantak_omer could you tell me 9001 is filebeat service???

Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

grodog-prod — Tue, 06 Jul 2021 18:47:11 GMT

@li_xiang and @parikshith_nagaraj_aa0004 and @syamantak_omer : you're still able to read and access this thread after we shifted it private, correct?

Allan.

Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

li_xiang — Wed, 07 Jul 2021 01:40:35 GMT

@allan_grohe Yes, we can access ip and port through UDP protocol and receive excessive response packets. Can you tell me what service is opened on port 9001? It should not be es, but filebeat? What is the specific service?

Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

grodog-prod — Wed, 07 Jul 2021 15:28:12 GMT

@syamantak_omer and @parikshith_nagaraj_aa0004 can help you better then me on that front, @li_xiang---I'm not technical in our products like they are!

Allan.

Re: SmartZone-100 product has security vulnerabilities.Hackers can use udp9001 port to launch ddos reflection amplification attack

syamantakomer — Wed, 21 Jul 2021 16:40:03 GMT

Hi All,

This vulnerabilities has been fixed by our engineering team.

Refer the security advisory from the below link.

https://support.ruckuswireless.com/security_bulletins/312