Three major flaws found in Ruckus Enterprise APs
Craig Young, a researcher at Tripwire has found several major security flaws in Ruckus Enterprise APs
Unfortunately, 'enterprise' does not necessarily mean enterprise-level security
Three major security flaws have been discovered in Ruckus Enterprise Access Points.
Craig Young, a security researcher at Tripwire, carried out research after Tripwire's Vulnerability and Exposure Research team found that 74 percent of the 50 top-selling consumer routers on Amazon shipped with security vulnerabilities in 2014.
Young needed to choose a target to embark on the research. Ruckus accounted for 42 percent of the units shipped in 4Q14, thus Young proceeded with Ruckus and studied the Ruckus H500 access point in the research. He used the same methodology for finding vulnerabilities in the consumer routers.
Ruckus Enterprise Access Points were discovered to be vulnerable to the following security flaws:
· Authentication Bypass: All requests having a particular string received ‘200 OK' responses. Young was able to get response data intended only for authenticated queries by creatively adding this string to other requested.
· Denial of Service: A particular page is accessible over HTTP without authentication that, when requested over SSL, causes the management interface to become unavailable—a serious issue since the product relies on HTTP when used as a hot spot
· Information Disclosure: The device's serial number is exposed by the HTTP server. This may be useful to an attacker as part of a social engineering ploy. Serial numbers can also be used to prove ownership of a device.
Young also found that authenticated requests for a certain page would trigger excessive memory consumption causing the HTTP server to reload as well as cause possible disruption to other services. The vector lends itself to CSRF attacks through malicious image tags in HTML documents or emails since it's exploitable via GET requests.
“Enterprise-class” hardware doesn't necessarily mean enterprise quality in terms of security. Organisations that use Ruckus devices may be at risk for compromise, potentially allowing intruders to the system to become man-in-the-middle attackers to all other users of the wireless network, opening up a slew of opportunities for exploitation. Ruckus advised that only standalone APs would be affected.
Tripwire suggested several things to protect embedded devices. Firstly users should never use the same browser environment when logging into a network device as you would to browse the internet. HTTP/HTTPS interfaces should be disabled wherever possible because of the risks of attacks being launched via a malicious site. Device access should be restricted to systems with a legitimate reason for access. All connection to and from network devices should be logged and unusual activity flagged. Finally, firmware should be reinstalled on a regular basis and device configuration inspected for abnormalities
“I find critical vulnerabilities in enterprise software on a regular basis so it was not entirely surprising to me that I found flaws in the Ruckus equipment. It was however a bit surprising to see just how similar the design of their routers is to many of the consumer devices and alarming to find that they did not remediate some basic attacks, which are well documented on consumer routers. From my perspective the routers seem a lot like consumer devices just with better specs,” said Craig Young, security researcher at Tripwire in commentary to SCMagazineUK.com.
“I suspect that there are a number of other enterprise access points and routers with similar flaws within the HTTP interfaces. I would advise businesses to disable unnecessary management access to these products thereby reducing their attack surface. With Ruckus for example it is advisable to shutdown the HTTPS server and rely only on SSH services. Access to management services such should also be restricted to specific IP addresses on isolated networks,” Young concluded.