CommScope Ruckus Unleashed and ZoneDirector Path Traversal Vulnerability Allowing Remote Code Execution

A path traversal vulnerability has been identified in CommScope Ruckus Unleashed versions prior to 200.14.6.1.203 and in Ruckus ZoneDirector. This vulnerability allows remote, unauthenticated attackers to execute arbitrary Embedded JavaScript (EJS) templates on the server by exploiting the web interface. The issue arises from improper validation of file paths, which enables attackers to manipulate template locations and execute malicious code outside of authorized directories. An attacker must be able to upload a template, such as through FTP, to exploit this vulnerability and escalate privileges on the affected system.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system with elevated privileges.

Reproduction

The vulnerability can be reproduced by uploading a malicious EJS template via FTP to a writable directory accessible by the web server. Once the template is uploaded, it can be executed by sending a request that traverses the file path restrictions, such as by using a crafted DHCP request that exploits a format string vulnerability to inject commands that read the uploaded template and execute it on the server.

Remediation

Users are advised to update to Ruckus Unleashed versions 200.18.7.1.323 or later and Ruckus ZoneDirector versions 10.5.1.0.282 or later. After updating, it is recommended to change all passwords, revoke existing management interface certificates, and regenerate the private keys.