CommScope RUCKUS Community Forums

syamantakomer · ‎05-15-2023

Hello All,

This is an important security announcement.

A critical vulnerability was found in the web services component in earlier RUCKUS AP software. If the
affected web services component is enabled on the AP, this vulnerability allows an attacker to perform
remote code execution (RCE) and cross-site request forgery (CSRF).

A security bulletin was posted by RUCKUS Networks Security team on 8th Feb 2023. Please refer the same from the below link.

https://support.ruckuswireless.com/security_bulletins/315

You can also refer our Technical Support Response Center page from the below link. It has more information.

https://support.ruckuswireless.com/rce-csrf-ruckus-tech-support-response-center

Please be informed, all the impacted devices were already fixed long back. However, if you are running your RUCKUS APs on an impacted version, please refer our Technical Support Response Center page and upgrade your controller/APs to the recommended versions.

While you check and plan to upgrade your devices, we strongly recommend you to implement the workaround first, as this will immediately block the possibility of this security vulnerability.

Workaround: This vulnerability can be mitigated by disabling the web services (HTTP and HTTPS) on the AP. This can be done by using the AP CLI command "set https disable" and "set http disable" command.

Note: For ZoneDirector and SmartZone APs, the web services components are disabled by default, once AP joins the controller.

Some quick facts:

Only Access Points are impacted due to this security vulnerability, not the controllers.
Disabling web server on AP (HTTP and HTTPS) guaranties no further possibility of an attack.
By default, any AP joining a RUCKUS Controller disables the AP web service, so your AP will only be impacted if you are using it in standalone mode or enabled the HTTP or HTTPS manually.
Only SmartZone, Zonedirector and solo (standalone) access point software versions are impacted.
RUCKUS Cloud and Unleashed APs are not impacted.

If you got any queries, please use the comment section on this thread.

Thank you!

Jakezxz1 · ‎05-19-2023

Is there a way to verify if our APs that are inside of vSZ have in fact gotten the HTTPS GUI turned off ? I've come into this infra long after they were installed and would like to have certainties that this feature is turned off on all AP's

Mohsin · ‎05-19-2023

@Jakezxz1 By default all the AP's connecting to vSZ will get HTTP/HTTPS disabled

You can confirm the same by logging to AP CLI (SSH) and execute the below commands,

"get http" and "get https", this will provide you the status of GUI

Also, you ca try picking any random AP and try accessing the AP using a browser.

TheLakeHouseIT · ‎05-23-2023

When I run get https on my APs I get this:
HTTPs access is enabled
But the service is off, it is turned off to save memory once AP is managed by SCG!
If you need the service, please enable again by command "set https/http enable"!
OK

does that mean it's vulnerable or not?

Mohsin · ‎05-23-2023

@TheLakeHouseIT, Since the AP HTTPs is enabled and the services are turned off. It's not vulnerable.

But, I would recommend to turn off the HTTPs service on the AP's using "set http/https disable"

Have you tried accessing the AP GUI through browser

CommScope RUCKUS Community Forums

CVE-2023-25717 - RUCKUS AP Web Vulnerability (RCE/CSRF)