topic Re: Security Notice 20191224 ZoneDirector and Unleashed Unauthenticated Remote Code Execution and Other Vulnerabilities in ZoneDirector

Security Notice 20191224 ZoneDirector and Unleashed Unauthenticated Remote Code Execution and Other Vulnerabilities

grodog-prod — Tue, 24 Dec 2019 20:36:59 GMT

The RuckusNetworks Support Portal Security page has been updated with Security Notice 20191224 ZoneDirector and Unleashed Unauthenticated Remote Code Execution and Other Vulnerabilities. Security Notice 20191224 is located at https://support.ruckuswireless.com/security_bulletins/299 and can be downloaded in PDF and TXT formats.

What is the issue?

A number of security vulnerabilities are found on the ZoneDirector and Unleashed product lines. Collectively, these vulnerabilities allow an attacker to perform the following actions:

Unauthenticated, remote code executions and unauthorized command line interface (CLI) and shell access
Command injections
Unauthenticated stack overflow
Unauthenticated arbitrary file writing
Server-Side Request Forgery (SSRF)

What action should I take?

Ruckus Networks is releasing the fix for these vulnerabilities through a software update. Because these are CRITICAL issues, all customers are strongly encouraged to apply the fix once available.

Further details including are available in the full text of Security Notice 20191224 at https://support.ruckuswireless.com/security_bulletins/299.

Re: Security Notice 20191224 ZoneDirector and Unleashed Unauthenticated Remote Code Execution and Other Vulnerabilities

david_black_594 — Tue, 24 Dec 2019 23:06:22 GMT

Can the updated version be installed if the end user has controllers with expired support?

Which versions of ZD code will be patched?

Re: Security Notice 20191224 ZoneDirector and Unleashed Unauthenticated Remote Code Execution and Other Vulnerabilities

john_d — Wed, 25 Dec 2019 00:04:13 GMT

I second this request -- this seems arguably more severe than KRACK and we got temporary entitlements to patch KRACK back then.

Re: Security Notice 20191224 ZoneDirector and Unleashed Unauthenticated Remote Code Execution and Other Vulnerabilities

john_d — Wed, 25 Dec 2019 00:05:39 GMT

Is the attack surface isolated to having access to the management VLAN to talk to the APs / ZD instance, or for Unleashed since it can be managed over the cloud, is there a wider attack surface?

Trying to decide if the update justifies bringing my networks down over Christmas!

Re: Security Notice 20191224 ZoneDirector and Unleashed Unauthenticated Remote Code Execution and Other Vulnerabilities

pradeep_kumar_h — Wed, 25 Dec 2019 01:56:03 GMT

Hi David & John,
Yes, Ruckus will provide temporary entitlement to allow you to upgrade ZD. Below are the versions has the fix

ZD Code base
9.10.2.0.84
9.12.3.0.136
10.0.1.0.90
10.1.2.0.275
10.2.1.0.147
10.3.1.0.21

Unleashed
200.7.10.202.94

Regards,
Pradeep

Re: Security Notice 20191224 ZoneDirector and Unleashed Unauthenticated Remote Code Execution and Other Vulnerabilities

david_black_594 — Thu, 26 Dec 2019 00:14:20 GMT

No patch for 9.13?

Re: Security Notice 20191224 ZoneDirector and Unleashed Unauthenticated Remote Code Execution and Other Vulnerabilities

pradeep_kumar_h — Thu, 26 Dec 2019 02:17:25 GMT

9.13.x has to Upgrade to 10.0.1 MR1 Refresh 6

RN: https://support.ruckuswireless.com/documents/3109-zonedirector-10-0-1-mr1-refresh6-release-notes

Image: https://support.ruckuswireless.com/software/2285-zd1200-10-0-1-0-90-mr1-refresh6-software-release

Re: Security Notice 20191224 ZoneDirector and Unleashed Unauthenticated Remote Code Execution and Other Vulnerabilities

pradeep_kumar_h — Thu, 26 Dec 2019 02:19:17 GMT

Hi John,

I am not able to understand "Unleashed since it can be managed over the cloud", please reach out to Ruckus Support to discuss the impact and resolution.

Regards,
Pradeep

Re: Security Notice 20191224 ZoneDirector and Unleashed Unauthenticated Remote Code Execution and Other Vulnerabilities

john_d — Wed, 01 Jan 2020 22:08:16 GMT

Thanks Pradeep -- the recently published FAQ for Unleashed home users answered my question. Attacking a vulnerable AP requires local network access, which is at least a little bit of a silver lining. I was worried earlier that the attacker could've been anywhere on the internet if they are somehow able to use the same communication mechanism as the Unleashed mobile app to talk to a vulnerable AP over the WAN, but that does not appear to be the case.

Thank you for the quick and coordinated response to this vulnerability!