[<prev] [next>] [day] [month] [year] [list]
Message-ID: <51A4F881.20701@ruckuswireless.com>
Date: Tue, 28 May 2013 11:33:37 -0700
From: Ruckus Product Security Team <security@...kuswireless.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: RUCKUS ADVISORY ID 031813-1: Unauthenticated TCP tunneling on Ruckus
devices via SSH server process
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
RUCKUS ADVISORY ID 031813-1
Customer release date: March 25, 2013
Public release date: May 27, 2013
TITLE
Unauthenticated TCP tunneling on Ruckus devices via SSH server process
SUMMARY
An user authentication bypass vulnerability has been discovered during
standard internal bug reporting procedures in some of the Ruckus
devices. This vulnerability may permit an unauthenticated malicious
user with network access to port 22 to tunnel random TCP traffic to
other hosts on the network via Ruckus devices.
AFFECTED SOFTWARE VERSIONS AND DEVICES
Device Affected software branches
- ------------------------- --------------------------
ZoneDirector Controllers 9.2.x, 9.3.x, 9.4.x, 9.5.x
ZoneFlex Access Points 9.2.x, 9.3.x, 9.4.x, 9.5.x, 1.x.x
SmartCell Access Points 1.x.x
Smart Cell Gateway NOT AFFECTED
Any products not mentioned in the table above are not affected
DETAILS
Ruckus allows for SSH connectivity to its devices for debuggability
and maintenance reasons. It was discovered that a malicious user could
abuse the TCP tunneling feature of the SSH daemon on Ruckus devices to
proxy random TCP streams through the Ruckus devices. The user does not
have to be authenticated to the Ruckus device for requesting and
establishing such a tunnel. Once tunnel is established, the user's TCP
stream would be carried over SSH to the Ruckus device, which would
forward the traffic to an IP and port of the user's choosing.
IMPACT
An unauthenticated malicious user may be able to establish a SSH
forwarding tunnel to a Ruckus device and use this tunnel to forward
random TCP streams to other hosts in connectivity with the Ruckus
device. SSH daemon is enabled by default on Ruckus devices.
CVSS v2 BASE METRIC SCORE: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CHECK IF YOU ARE VULNERABLE
- Malicious user requires network access to port 22 on the target
Ruckus device to carry out this attack.
- Smart Cell Gateway is NOT affected by this issue.
WORKAROUNDS
Ruckus recommends that all customers apply the appropriate patch(es)
as soon as practical. However, in the event that a patch cannot
immediately be applied, the following steps will help to mitigate the
risk:
- Do not expose management interfaces of Ruckus devices (including
SSH access) to untrusted networks such as the Internet.
- Use a firewall to limit SSH traffic to/from Ruckus devices to
trusted hosts.
- If limiting SSH access is not possible, an extreme workaround is to
disable SSH access to the Ruckus device via a firewall in the path or
via the HTTPS Web Interface of the device itself.
SOLUTION
Ruckus recommends that all customers apply the appropriate patch(es)
as soon as practical.
The following patches have the fix (any later patches will also have
the fix):
Branch Software Patch
- --------- ------------------
9.2.x ZF7731_9.2.0.0.168
9.3.x 9.3.4.0.17
9.4.x 9.4.3.0.16
9.5.x 9.5.1.0.50
1.x.x 1.1.1
OBTAINING FIXED FIRMWARE
Ruckus customers can obtain the fixed firmware from the support website at
https://support.ruckuswireless.com/
Ruckus Support can be contacted as follows:
1-855-RUCKUS1 (1-855-782-5871) (United States)
e-mail: support at ruckuswireless.com
The full contact list is at:
https://support.ruckuswireless.com/contact-us
PUBLIC ANNOUNCEMENTS
This security advisory is strictly confidential and will be made
available for public consumption in approximately 60 days on 27th May
2013 at the following source
Ruckus Website
http://www.ruckuswireless.com/security
SecurityFocus Bugtraq
http://www.securityfocus.com/archive/1
Future updates of this advisory, if any, will be placed on Ruckus's
website, but may or may not be actively announced on mailing lists.
REVISION HISTORY
Revision 1.0 / 25th March 2013 / Initial release
RUCKUS WIRELESS SECURITY PROCEDURES
Complete information on reporting security vulnerabilities in Ruckus
Wireless products, obtaining assistance with security incidents is
available at
http://www.ruckuswireless.com/security
For reporting new security issues, email can be sent to
security(at)ruckuswireless.com
For sensitive information we encourage the use of PGP encryption. Our
public keys can be found at http://www.ruckuswireless.com/security
STATUS OF THIS NOTICE: Final
Although Ruckus cannot guarantee the accuracy of all statements
in this advisory, all of the facts have been checked to the best of our
ability. Ruckus does not anticipate issuing updated versions of
this advisory unless there is some material change in the facts. Should
there be a significant change in the facts, Ruckus may update this
advisory.
(c) Copyright 2013 by Ruckus Wireless
This advisory may be redistributed freely after the public release
date given at
the top of the text, provided that redistributed copies are complete and
unmodified, including all date and version information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJRpPiBAAoJEFH6g5RLqzh1pz8IAIF2ivet9IlUWxaY/QDkUpR6
8YmmEW+1pC0oKNxrem3ApvnVc3VZlqvZ5YO2Fc5i1U2G6zVpjRzbxOKSkCuGLpY+
xDS066Ey0rLyY51E/v4m1lUgcKe/+7KS+xtJ55BrlS/Hv6P8mg6f8Of89e0rUcOY
2EJyV3sXtwVINMrkY/U0zDgBMLIoEbajczaXfSpJSrDNBlXigMD/1HniZxqGPRna
3NiLbMuz9WCD6jug8NDDG2HBbQ8H07B4YREJnl7o65qsT1uH0sz5NVJyh2YVnIIx
zMF+L1czzfTl2aE8kpQcFbC3a0nPeUeuOkCghsk8QwGGQVx1xAGrtp8QGomjaYU=
=Qscm
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists