Significant security flaws have been discovered in Ruckus routers, according to new research from Tripwire Cybersecurity Researcher, Craig Young.
- Authentication Bypass: All requests containing a particular string received ‘200 OK’ responses. By creatively adding this string to other requests, I was able to get response data intended only for authenticated queries. This is a behavior I have observed in routers from NETGEAR, TrendNET and Asus.
- Denial of Service: There is a particular page accessible over HTTP without authentication that, when requested over SSL, causes the management interface to become unavailable. This is a serious issue as the product relies on HTTP when used as a hot spot.
- Information Disclosure: The device’s serial number is exposed by the HTTP server. It is unclear whether this has any direct security impact, but it may be useful to an attacker as part of a social engineering ploy. I have also observed other products where the serial number is used as a means to prove ownership of a device.
Craig also found that authenticated requests for a certain page would trigger excessive memory consumption causing the HTTP server to reload, as well as possible disruption to other services. This vector is exploitable via GET requests and therefore lends itself to CSRF attacks through malicious image tags in HTML documents or emails.
Additional details can be found here: http://www.tripwire.com/state-of-security/vulnerability-management/ruckus-vulnerability/