Gal Zror, a security researcher discovered three critical RCE (Remote Code Execution) vulnerabilities in Ruckus Wireless routers that could allow malicious actors to bypass security layers and take control of the devices. Ruckus Networks is a provider of wired and wireless networking equipment and software for enterprises.
According to researcher, the vulnerabilities allow hackers to gain root access to the routers.
The researcher stated that he examined 33 different access points firmware and determined that all of them were vulnerable to RTC vulnerability.
Presenting his findings at the annual Chaos Communication Congress conference, Gal Zror said, “Exploitation used various vulnerabilities such as information leak, authentication bypass, command injection, path traversal, stack overflow, and arbitrary file read/write.”
The demonstration includes:
- Overviews of Ruckus Wireless Routers equipment and their attack surfaces. Explaining the firmware analysis and emulation prosses using our dockerized QEMU full system framework.
- Demonstration on the first RCE and its specifics. Describing the webserver logic using the Ghidra decompiler and its scripting environment.
- Demonstrating the second RCE using stack overflow vulnerability.
- Determining the third RCE by using a vulnerability chaining technique.
Multiple vulnerabilities were reported on routers in recent times. Cisco, the networking hardware company, disclosed the existence of critical vulnerabilities in its business routers, recently.
According to an official statement, the Cisco Small Business Routers exhibited numerous security issues. Specifically, three major security bugs were discovered in the Cisco RV320 and RV325 Dual Gigabit WAN VPN Routers firmware named as CSCvq34465, CSCvq34469, and CSCvq34472.
The routers affected by these bugs faced issues like, Static certificates and keys, Hardcoded password hashes, and Multiple vulnerabilities in third-party software (TPS) components. If exploited, the vulnerabilities allow anyone to get access to the base operating system to easily gain root access on the target device, according to the statement.