topic Re: CVE-2023-25717 - RUCKUS AP Web Vulnerability (RCE/CSRF) in RUCKUS Self-Help

CVE-2023-25717 - RUCKUS AP Web Vulnerability (RCE/CSRF)

syamantakomer — Fri, 02 Feb 2024 16:57:34 GMT

Hello All,

This is an important security announcement.

A critical vulnerability was found in the web services component in earlier RUCKUS AP software. If the
affected web services component is enabled on the AP, this vulnerability allows an attacker to perform
remote code execution (RCE) and cross-site request forgery (CSRF).

A security bulletin was posted by RUCKUS Networks Security team on 8th Feb 2023. Please refer the same from the below link.

https://support.ruckuswireless.com/security_bulletins/315

You can also refer our Technical Support Response Center page from the below link. It has more information.

https://support.ruckuswireless.com/rce-csrf-ruckus-tech-support-response-center

Please be informed, all the impacted devices were already fixed long back. However, if you are running your RUCKUS APs on an impacted version, please refer our Technical Support Response Center page and upgrade your controller/APs to the recommended versions.

While you check and plan to upgrade your devices, we strongly recommend you to implement the workaround first, as this will immediately block the possibility of this security vulnerability.

Workaround: This vulnerability can be mitigated by disabling the web services (HTTP and HTTPS) on the AP. This can be done by using the AP CLI command "set https disable" and "set http disable" command.

Note: For ZoneDirector and SmartZone APs, the web services components are disabled by default, once AP joins the controller.

Some quick facts:

Only Access Points are impacted due to this security vulnerability, not the controllers.
Disabling web server on AP (HTTP and HTTPS) guaranties no further possibility of an attack.
By default, any AP joining a RUCKUS Controller disables the AP web service, so your AP will only be impacted if you are using it in standalone mode or enabled the HTTP or HTTPS manually.
Only SmartZone, Zonedirector and solo (standalone) access point software versions are impacted.
RUCKUS Cloud and Unleashed APs are not impacted.

If you got any queries, please use the comment section on this thread.

Thank you!

Re: CVE-2023-25717 - RUCKUS AP Web Vulnerability (RCE/CSRF)

Jakezxz1 — Fri, 19 May 2023 16:00:18 GMT

Is there a way to verify if our APs that are inside of vSZ have in fact gotten the HTTPS GUI turned off ? I've come into this infra long after they were installed and would like to have certainties that this feature is turned off on all AP's

Re: CVE-2023-25717 - RUCKUS AP Web Vulnerability (RCE/CSRF)

Mohsin — Fri, 19 May 2023 20:43:06 GMT

@Jakezxz1 By default all the AP's connecting to vSZ will get HTTP/HTTPS disabled

You can confirm the same by logging to AP CLI (SSH) and execute the below commands,

"get http" and "get https", this will provide you the status of GUI

Also, you ca try picking any random AP and try accessing the AP using a browser.

Re: CVE-2023-25717 - RUCKUS AP Web Vulnerability (RCE/CSRF)

TheLakeHouseIT — Tue, 23 May 2023 15:36:44 GMT

When I run get https on my APs I get this:
HTTPs access is enabled
But the service is off, it is turned off to save memory once AP is managed by SCG!
If you need the service, please enable again by command "set https/http enable"!
OK

does that mean it's vulnerable or not?

Re: CVE-2023-25717 - RUCKUS AP Web Vulnerability (RCE/CSRF)

Mohsin — Tue, 23 May 2023 15:50:11 GMT

@TheLakeHouseIT, Since the AP HTTPs is enabled and the services are turned off. It's not vulnerable.

But, I would recommend to turn off the HTTPs service on the AP's using "set http/https disable"

Have you tried accessing the AP GUI through browser

Re: CVE-2023-25717 - RUCKUS AP Web Vulnerability (RCE/CSRF)

TheLakeHouseIT — Tue, 23 May 2023 15:53:58 GMT

The APs reply with error 503 service unavailable. Again I'm not sure if that means you could run the exploit or not.

I will disable https and update when possible either way.

Re: CVE-2023-25717 - RUCKUS AP Web Vulnerability (RCE/CSRF)

Mohsin — Tue, 23 May 2023 16:04:32 GMT

@TheLakeHouseIT Since you are unable to access AP via GUI, its not vulnerable.

Please let us, if you have any further queries.

Re: CVE-2023-25717 - RUCKUS AP Web Vulnerability (RCE/CSRF)

orcuncolakoglu — Wed, 07 Jun 2023 10:56:57 GMT

@syamantakomer

So we are adviced to upgrade as below;

SmartZone and Virtual SmartZone : Upgrade to 5.2.2MR2 or later release
ZoneDirector : Upgrade to 10.4.1.257 (GA Refresh 4) or later

While ZD1200 has firmware for 10.5.x version how come ZD11XX and ZD30XX series doesn't have?

How we can secure ZD1125, ZD1150 and ZD3050 models then?

Thanks!

Re: CVE-2023-25717 - RUCKUS AP Web Vulnerability (RCE/CSRF)

ms264556 — Fri, 16 Jun 2023 06:59:02 GMT

Your security advisory says Solo APs "114.0.0.0.5562 and earlier" are affected.

Although I can reproduce the POC on APs running ZD 10.3 & 10.4 firmware, I can't reproduce on e.g. a zf7982 running Solo 104.0.
Is it only Solo 114.x which is affected, or is it really all previous Solo versions too (in which case I'll try harder to reproduce)?

This is quite important to know, since you're not releasing security fixes for old APs.

Re: CVE-2023-25717 - RUCKUS AP Web Vulnerability (RCE/CSRF)

syamantakomer — Tue, 27 Jun 2023 18:16:21 GMT

As long as AP web (http/https) is disabled, none of your APs are impacted. Please refer the workaround for the EOL devices which cannot be upgraded to the recommended version.