Ruckus Network Director Hardcoded PostgreSQL Credentials Allow Remote Code Execution

A vulnerability exists in Ruckus Network Director (RND) versions prior to 4.5.0.54, where the OVA appliance includes hardcoded credentials for the 'ruckus' PostgreSQL database user. In the default setup, the PostgreSQL service is accessible over the network on TCP port 5432. This exposure allows an attacker to use the hardcoded credentials for remote authentication, gaining superuser access to the database. Such access enables the creation of administrative users for the web interface, extraction of password hashes, and execution of arbitrary operating system commands as the 'postgres' user.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the executed commands running as the 'postgres' user. This access could be leveraged to escalate privileges to root, especially if the admin user's password is compromised or reused.

Reproduction

The vulnerability can be reproduced by accessing the PostgreSQL service on the default network port 5432. With the hardcoded credentials, an attacker can authenticate as the 'ruckus' user, which has superuser privileges. Once authenticated, the 'ruckus' user can execute commands using PostgreSQL's 'COPY TO PROGRAM' feature, potentially leading to a reverse shell. If the 'admin' user's password is obtained, full root access can be achieved due to the user's passwordless sudo privileges.

Remediation

Users are advised to update Ruckus Network Director to version 4.5.0.54 or later, restrict network access to the PostgreSQL port, audit existing deployments for unauthorized database users, and ensure strong, unique passwords are used for all accounts.