CommScope RUCKUS Community Forums

syamantakomer · ‎05-15-2023

Hello All,

This is an important security announcement.

A critical vulnerability was found in the web services component in earlier RUCKUS AP software. If the
affected web services component is enabled on the AP, this vulnerability allows an attacker to perform
remote code execution (RCE) and cross-site request forgery (CSRF).

A security bulletin was posted by RUCKUS Networks Security team on 8th Feb 2023. Please refer the same from the below link.

https://support.ruckuswireless.com/security_bulletins/315

You can also refer our Technical Support Response Center page from the below link. It has more information.

https://support.ruckuswireless.com/rce-csrf-ruckus-tech-support-response-center

Please be informed, all the impacted devices were already fixed long back. However, if you are running your RUCKUS APs on an impacted version, please refer our Technical Support Response Center page and upgrade your controller/APs to the recommended versions.

While you check and plan to upgrade your devices, we strongly recommend you to implement the workaround first, as this will immediately block the possibility of this security vulnerability.

Workaround: This vulnerability can be mitigated by disabling the web services (HTTP and HTTPS) on the AP. This can be done by using the AP CLI command "set https disable" and "set http disable" command.

Note: For ZoneDirector and SmartZone APs, the web services components are disabled by default, once AP joins the controller.

Some quick facts:

Only Access Points are impacted due to this security vulnerability, not the controllers.
Disabling web server on AP (HTTP and HTTPS) guaranties no further possibility of an attack.
By default, any AP joining a RUCKUS Controller disables the AP web service, so your AP will only be impacted if you are using it in standalone mode or enabled the HTTP or HTTPS manually.
Only SmartZone, Zonedirector and solo (standalone) access point software versions are impacted.
RUCKUS Cloud and Unleashed APs are not impacted.

If you got any queries, please use the comment section on this thread.

Thank you!

TheLakeHouseIT · ‎05-23-2023

The APs reply with error 503 service unavailable. Again I'm not sure if that means you could run the exploit or not.

I will disable https and update when possible either way.

Mohsin · ‎05-23-2023

@TheLakeHouseIT Since you are unable to access AP via GUI, its not vulnerable.

Please let us, if you have any further queries.

orcuncolakoglu · ‎06-07-2023

@syamantakomer

So we are adviced to upgrade as below;

SmartZone and Virtual SmartZone : Upgrade to 5.2.2MR2 or later release
ZoneDirector : Upgrade to 10.4.1.257 (GA Refresh 4) or later

While ZD1200 has firmware for 10.5.x version how come ZD11XX and ZD30XX series doesn't have?

How we can secure ZD1125, ZD1150 and ZD3050 models then?

Thanks!

syamantakomer · ‎06-27-2023

As long as AP web (http/https) is disabled, none of your APs are impacted. Please refer the workaround for the EOL devices which cannot be upgraded to the recommended version.

ms264556 · ‎06-15-2023

Your security advisory says Solo APs "114.0.0.0.5562 and earlier" are affected.

Although I can reproduce the POC on APs running ZD 10.3 & 10.4 firmware, I can't reproduce on e.g. a zf7982 running Solo 104.0.
Is it only Solo 114.x which is affected, or is it really all previous Solo versions too (in which case I'll try harder to reproduce)?

This is quite important to know, since you're not releasing security fixes for old APs.

CommScope RUCKUS Community Forums

CVE-2023-25717 - RUCKUS AP Web Vulnerability (RCE/CSRF)