Enterprise wireless hotspots from Ruckus can be trivially crashed and their login systems bypassed, Tripwire researchers warn.
Ruckus confirmed there are flaws in its access points while playing down the seriousness of the bugs.
Tripwire followed up a 2014 study into the insecurity of Ruckus routers with a new investigation into the vendor's enterprise-focused wireless routers. Three blunders involving an authentication bypass, a denial-of-service weakness, and an information disclosure flaw were discovered during an audit of the widely used Ruckus H500 access point:
- Authentication bypass: All requests to the router's web-based user interface containing a particular string received "200 OK" responses. By creatively adding this string to other requests, it was possible to get back webpages from the user interface intended only for authenticated users.
- Denial of service: There is a particular page accessible over HTTP without authentication that, when requested over SSL, causes the management interface to become unavailable. This is a serious issue, since the product relies on HTTP when used as a hotspot, Tripwire warns.
- Information disclosure: The device's serial number is exposed by the HTTP server.
Organizations using Ruckus devices may be at risk for compromise, particularly when the access points are used to provide their customers with Wi-Fi access, according to Tripwire bod Craig Young.
Ruckus disputes these findings. The California-based vendor admits that the bugs in the web interface are real but says they are not usually accessible to the public, including hackers. The internal web server is typically tucked away out of reach, we're told:
Multiple vulnerabilities were found in the WebGUI interface of Ruckus APs. These vulnerabilities were first reported by Tripwire and Ruckus acknowledges them. The vulnerabilities can be broadly classified into two categories: 1) CSRF exposure, 2) Unauthenticated command injection and information retrieval sometimes causing denial of service attack on AP.
However Ruckus would like to state that these vulnerabilities are only exploitable when AP IP & Web interface are accessible from external hosts. Most of Ruckus APs are deployed in managed environment where there is WLAN controller that is managing the APs. In this mode of operation the Web interface is not enabled, and in most cases even the IP address of the AP is not reachable from external sources. This prevents these vulnerabilities from getting exploited.
Tripwire contends that intruders to a Ruckus system could run man-in-the-middle attacks against users on the wireless network, opening the door to a wide spectrum of potential attacks. Ruckus contends that the possible harm is limited to crashing systems with externally facing interfaces.
"We do acknowledge that in deployments where AP IP and Web interface are accessible from external sources, these vulnerabilities can be exploited causing disruption of service," Ruckus explained.
The biz said it was "actively working to close these vulnerabilities with high priority" through patches and updates, offering various workarounds in the meantime.
More details on Tripwire's research can be found in a blog post, here. ®