Tripwire research finds Ruckus routers are susceptible to intruders
In 2014, research from Tripwire found that almost three quarters of the 50 top selling routers on Amazon.com contained security vulnerabilities, including 20 different models where the latest firmware from was found to be exploitable.
The flaws were discovered by Craig Young, a security researcher at Tripwire, who said companies using Ruckus routers could also be unknowingly at risk to compromise as intruders could stage man-in-the-middle attacks.
But now, new research from Tripwire has explored whether security vulnerabilities in routers is just confined to the consumer market, or actually affects the enterprise space too.
“My suspicion was that feature wars and low profit margins could be contributing to the epidemic of insecure routers,” said Young.
“In an attempt to determine whether this issue was limited to the consumer market, I decided it would be necessary to obtain and evaluate a wireless router designed for enterprise networks.”
Young started his research by purchasing a cheaper, second-hand Ruckus ZoneFlex router, running the latest available firmware as of October 27 2015.
“Within a few minutes of setting up the device, I found a command injection which is exploitable through a forged request due to a general lack of CSRF tokens,” said Young.
“As with many of the consumer routers I had tested, the ZoneFlex offers administrators an option to perform diagnostics including a simple ping test, with apparently no input sanitization. In every case where I’ve found this flaw on a consumer router, it has been pretty devastating.”
Young admitted that the ZoneFlex model was at its end of life, and he naturally expected that the flaws would be fixed in later products. He was wrong.
“My research picked up again 12/3/2015 when I set up a Ruckus H500 access point with the latest firmware (22.214.171.124.432); I was shocked to find that the ping injection still worked! After obtaining a shell on this fully patched access point, I proceeded by creating a simple list of files contained in the web server’s document root,” he continued.
“This is a trivial process possible from either the shell access or through firmware extraction and can be supplemented by locating possible URIs embedded within the server’s binaries. In this particular case, I limited myself just to the files visible in the firmware update. I then fed this list into a script I have for crawling an HTTP server and recording which files are accessible without authentication. As was commonly the case with consumer devices, this rather simple process exposed a few flaws.”
Those flaws included authentication bypass, a denial of service flaw, and in information disclosure where the device’s serial number is exposed by the HTTP server.
“It is unclear whether this has any direct security impact but it may be useful to an attacker as part of a social engineering ploy. I have also observed other products where the serial number is used as a means to prove ownership of a device,” said Young.
He subsequently found more vulnerabilities in Ruckus access points, and said he reached out to Ruckus, at which point the company became unresponsive.
“Unlike with some vendors where it takes guess work to figure out an appropriate security contact, Ruckus has a page listing a PGP key and email address for reporting vulnerabilities. While this is normally a good sign of a responsive organization, repeated attempts to email them my report resulted in bounces,” Young explained.
“In early January 2016, about a month after I first reached out to Ruckus, I emailed several other posted addresses stating my problem reaching the security contact. A webmaster contact responded letting me know that he would get the account setup but after resending the report and asking for receipt confirmation, I heard nothing.”
While the vulnerabilities found in Ruckus hardware were similar to vulnerabilities found in the routers of other vendors, such as Netgear and ASUS, Young said that his report to Ruckus appears to have been completed ignored.
TechWeekEurope contacted Ruckus, which this week issued a security advisory in light of Tripwire’s findings.
“These vulnerabilities were first reported by Tripwire and Ruckus acknowledges them,” said the company.
“However, Ruckus would like to state that these vulnerabilities are only exploitable when AP IP & Web interface are accessible from external hosts. Most of Ruckus APs (Access points) are deployed in [a] managed environment where there is [a] WLAN controller that is managing the APs.
“Ruckus will be actively working to close these vulnerabilities with high priority.”