CommScope Ruckus Unleashed and ZoneDirector Format String Vulnerability Leading to Remote Code Execution

A format string vulnerability has been identified in CommScope Ruckus Unleashed versions prior to 200.15.6.212.14 and 200.17.7.0.139, as well as in Ruckus ZoneDirector versions prior to 10.5.1.0.279. The vulnerability arises in the authenticated configuration endpoint '/admin/_conf.jsp', where the Wi-Fi guest password is written to memory using 'snprintf'. An attacker can exploit this by crafting a password that triggers uncontrolled format-string processing, ultimately enabling remote code execution on the controller.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected device.

Reproduction

The vulnerability can be reproduced by sending a crafted DHCP request from a device connected to the guest Wi-Fi network. The request must include format string characters in the hostname field, which will be processed by the vulnerable 'snprintf' function on the controller.

Remediation

Users are advised to update to Ruckus Unleashed versions 200.18.7.1.323 or later, and Ruckus ZoneDirector versions 10.5.1.0.282 or later. After updating, it is recommended to change all passwords, revoke existing management interface certificates, and regenerate the private key.