... Loading ...

SSD Secure Disclosure

Disclosing vulnerabilities responsibly since 2007

SSD Advisory – Ruckus IoT vRIoT Server Vulnerabilities

Vulnerability Summary

The Ruckus IoT Suite is a collection of network hardware and software infrastructure used to enable multi-standard Internet of Things devices access the network. The IoT Controller, part of the IoT Suite, is a virtual controller that performs connectivity, device and security management for non Wi-Fi devices.

Many of IoT Controller’s sensitive functionalities require a form of authentication. However, there are many functions which ignore this requirement and do not ask the user to authenticate himself prior to providing the user with a response. This allows unauthorized users to issue sensitive commands to the product which result in potential security breaches.

CVE

CVE-2020-8005

Credit

An independent Security Researcher has reported this vulnerability to SSD Secure Disclosure program.

Affected Systems

Ruckus IoT vRIoT Version 1.4

Vendor Response

Ruckus has fixed the vulnerability in vRIoT Server version 1.5.0.0.34. For more information see Ruckus Software Release

Vulnerability Details

There are multiple unprotected functions in the Controller portal of the Ruckus IoT server. Many functions, such as changing the admin password, are protected by authentication and return a 401 Unauthorized when called without supplying an authentication header or cookie, proving one is an authorized user of the system.

But there are many other functions which aren’t protected and a remote unauthenticated user can use them to gain privileged access and disable privileged processes or access sensitive data. Many exploitable bugs were found, which include:

  1. Remote pre-auth configuration manipulation
  2. Full access to backups including restoration, retrieval and deletion of backups.
  3. Downgrading and upgrading firmware versions
  4. Control of system services
  5. Remote factory reset of the server

There are 3 other unprotected functions which yield unclear security impact and were not investigated further, but are nevertheless included.

Reproduction

Remote Configuration Change

The service located at /service/init is responsible for configuration management. When sending it an HTTP PATCH request, the supplied JSON formatted configuration will be interpreted and saved. This allows the configuration of different important settings such as DNS servers.

The device needs to reboot it’s services, which should all happen automatically as part of it’s routine, and only then the change will take effect.


Manipulation of Arbitrary Backups

The backup manipulation service, which is located at /service/v1/db, allows for three operations: loading, downloading and deletion of backup files.

Loading backups:

When sending an HTTP POST request to /service/v1/db/restore the server will restore the backups file requested in the request body. This name can be either known beforehand or bruteforced, as the filename follows a specific pattern.

Device will reboot to restore the arbitrarily chosen backup

Downloading backups:

Sending an HTTP GET to /service/v1/db/backup with filename as a parameter will yield you the requested backup file. This name can either be known beforehand or brute forced easily.

Deleting backups:

Sending an HTTP DELETE request to /service/v1/db/backup will enable the deletion of backup files. The filename of the backup is supplied through the parameter.


Firmware Version Manipulation

The service located in /service/upgrade/flow allows changing the firmware of the device. This allows downgrade attacks, where a potential attacker may change the firmware to a vulnerable one.

The device will reboot if the supplied firmware version exists.


Service Manipulation

The service located at /module/ allows for three operations: stop, start and restart. The operation can be appended URL, and the name of the process is specified using the parameter. The name of the process can be retrieved through a terminal of a machine running the operating system, like a virtual machine.


Remote Factory Reset

The service running at /reset enable issuing a factory reset of the machine. This deletes all configurations and information stored on the machine. This functionality enables an attacker to create a Denial of Service attack.


Additional Bugs (unknown impacts)

  • Upload new images
  • Upload patches
  • Diagnostic Data (The generate diagnostic data button is protected and must already have been generated by an admin prior)
Print Friendly, PDF & Email

Leave a Reply