Users urged to patch Ruckus vRIoT server software now
Two security vulnerabilities in a smart device controller could be chained to achieve unauthenticated remote code execution (RCE).
Ruckus IoT Controller is a service and management component that aids the integration of Internet of Things (IoT) devices.
Researcher Juan Manuel Fernández, from hacking team Adepts of 0xCC, revealed how he discovered two separate flaws in the Ruckus vRIoT server software that, when chained together, resulted in complete takeover of the suite.
“Also, if deployed in an enterprise environment, this component could be used to pivot from the IoT world to other internal networks,” Fernández told The Daily Swig.
The first vulnerability (CVE-2020-26878) arose due to improper input sanitization when calling the /service/v1/createUser endpoint, leading to command injection.
The researcher noted that this method checks for a valid token, so an attacker would still need to be authenticated to exploit it.
Causing a Ruckus
An unauthenticated user can interact with the service API by using a backdoor value as the Authorization header.
“Setting the Authorization header to OlDkR+oocZg= is enough to bypass the token check and to interact with the API,” he explained.
An attacker can combine the backdoor with the remote command injection in order to gain root shell access.
Fernández told The Daily Swig that finding the vulnerabilities was simple. He said: “The vulnerabilities were really easy to spot, these are just regular low-hanging fruits. Having access to the source code made it trivial to find the remote command execution and the API backdoor.”
The Adepts researchers reported the bugs to Ruckus in July and agreed on a 90-day public disclosure deadline.
“The reporting process was pretty smooth. Since the very first moment, Ruckus’ security team acknowledged the issues and kept us informed the whole time,” Fernández said.
Users of the Ruckus vRIoT server software are urged to update to the latest patched version.