CommScope Ruckus Unleashed and ZoneDirector Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in CommScope Ruckus Unleashed and ZoneDirector management platforms. This vulnerability exists in versions prior to Unleashed 200.15.6.212.14 and 200.17.7.0.139, as well as ZoneDirector 10.5.1.0.282. The issue arises in the authenticated diagnostics API endpoint '/admin/_cmdstat.jsp', where attacker-controlled input is inadequately validated before being passed to the shell. This flaw enables remote attackers to execute arbitrary commands as root by specifying the MAC address of a targeted device.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the affected device, with the executed commands running with root privileges.

Reproduction

The vulnerability can be reproduced by first bypassing authentication and then exploiting the command injection flaw. After gaining access to the management interface, either through legitimate credentials or by exploiting another vulnerability, a POST request can be sent to the '/admin/_cmdstat.jsp' endpoint. The request must include the 'apcli-cmd' command, specifying a target device by its MAC address. Once the command is executed, a reverse shell can be initiated by directing the output to a networked location.

Remediation

Users are advised to update to Ruckus Unleashed versions 200.18.7.1.323 or later, and ZoneDirector versions 10.5.1.0.282 or later. After updating, all passwords should be changed, existing management interface certificates revoked, and private keys regenerated.