CommScope Ruckus Unleashed and ZoneDirector Command Injection Vulnerability Leading to Remote Code Execution

A command injection vulnerability has been identified in CommScope Ruckus Unleashed versions prior to 200.15.6.212.14 and 200.17.7.0.139, as well as in Ruckus ZoneDirector versions prior to 10.5.1.0.279. The vulnerability arises from a hidden debug script, '.ap_debug.sh', which is invoked from the restricted command-line interface (CLI) without proper input sanitization. This flaw allows authenticated attackers to execute arbitrary commands as root on the affected controller or specified target.

Impact

Exploitation of this vulnerability allows for unauthorized command execution with root privileges on the affected system.

Reproduction

The vulnerability can be reproduced by accessing the restricted CLI on a Ruckus Unleashed controller or a ZoneDirector controller. Once in the restricted CLI, the hidden debug script '.ap_debug.sh' can be executed with a crafted payload that injects commands into the execution process. The injected commands are then executed as root, providing full administrative access to the device.

Remediation

Users are advised to update to Ruckus Unleashed versions 200.18.7.1.323 or later, and Ruckus ZoneDirector versions 10.5.1.0.282 or later. After updating, it is recommended to change all passwords, revoke existing management interface certificates, and regenerate the private key.