Users urged to patch Ruckus vRIoT server software now

Two vulnerabilities in Ruckus IoT Controller can be chained to achieve RCE

Two security vulnerabilities in a smart device controller could be chained to achieve unauthenticated remote code execution (RCE).

Ruckus IoT Controller is a service and management component that aids the integration of Internet of Things (IoT) devices.

Researcher Juan Manuel Fernández, from hacking team Adepts of 0xCC, revealed how he discovered two separate flaws in the Ruckus vRIoT server software that, when chained together, resulted in complete takeover of the suite.

“Also, if deployed in an enterprise environment, this component could be used to pivot from the IoT world to other internal networks,” Fernández told The Daily Swig.

Read more of the latest IoT security news

The first vulnerability (CVE-2020-26878) arose due to improper input sanitization when calling the /service/v1/createUser endpoint, leading to command injection.

The researcher noted that this method checks for a valid token, so an attacker would still need to be authenticated to exploit it.

Causing a Ruckus

In the quest to circumvent this check to gain RCE as an unauthenticated user, the researcher found discovered an authentication bypass (CVE-2020-26879) via a hardcoded API backdoor.

An unauthenticated user can interact with the service API by using a backdoor value as the Authorization header.

“Setting the Authorization header to OlDkR+oocZg= is enough to bypass the token check and to interact with the API,” he explained.

An attacker can combine the backdoor with the remote command injection in order to gain root shell access.

Fernández told The Daily Swig that finding the vulnerabilities was simple. He said: “The vulnerabilities were really easy to spot, these are just regular low-hanging fruits. Having access to the source code made it trivial to find the remote command execution and the API backdoor.”

Coordinated disclosure

The Adepts researchers reported the bugs to Ruckus in July and agreed on a 90-day public disclosure deadline.

“The reporting process was pretty smooth. Since the very first moment, Ruckus’ security team acknowledged the issues and kept us informed the whole time,” Fernández said.

Users of the Ruckus vRIoT server software are urged to update to the latest patched version.

RELATED Symfony-based websites open to RCE attack, research finds