CommScope Ruckus Unleashed Password Disclosure Vulnerability via Management Endpoint

A vulnerability exists in CommScope Ruckus Unleashed versions prior to 200.15.6.12.304, allowing an authenticated request to the management endpoint '/admin/_cmdstat.jsp' to disclose the administrator password in a trivially reversible obfuscated form. This obfuscation method is retained in configurations prior to 200.18.7.1.302, enabling anyone who accesses the system configuration to recover the plaintext credentials.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of administrator credentials, allowing for administrative access to the Ruckus Unleashed management interface.

Reproduction

To reproduce this vulnerability, send an authenticated request to the '/admin/_cmdstat.jsp' endpoint with an 'ajax-request' payload that includes the 'admin' component. The response will contain the admin username and the password obfuscated in a reversible manner. After applying the patch in version '200.18.7.1.323' or later, the password is no longer available through this endpoint, but the obfuscation method is still present in the system configuration file until version '200.18.7.1.302'.

Remediation

Users are advised to update to Ruckus Unleashed versions '200.18.7.1.323' or later, and to change all passwords and revoke existing management interface certificates, regenerating the private key after applying the update.