RUCKUS Network Director Hardcoded SSH Keys for Postgres User Allow Remote Code Execution

A vulnerability exists in RUCKUS Network Director (RND) versions prior to 4.5.0.56, where the OVA appliance includes hardcoded SSH keys for the 'postgres' user. These keys are the same across all deployments, enabling an attacker with network access to authenticate via SSH without a password. Once logged in, the attacker can access the PostgreSQL database with superuser privileges, create administrative users for the web interface, and potentially escalate privileges further.

Impact

Exploitation of this vulnerability allows for unauthorized SSH access as the 'postgres' user, who has superuser rights in the PostgreSQL database. This access could be used to create admin users for the RUCKUS Network Director web interface, access application data, and possibly escalate privileges on the operating system, depending on its configuration.

Reproduction

The hardcoded SSH keys can be found in the 'authorized_keys' file within the '/data/var/lib/pgsql/.ssh/' directory on the appliance. The private key, 'id_rsa_pgpool', can be used to authenticate as the 'postgres' user via SSH. After logging in, the 'postgres' user's superuser privileges in the PostgreSQL database can be verified. Additionally, a new administrative user can be inserted into the 'users' table to gain access to the web admin panel.

Remediation

Users are advised to update RUCKUS Network Director to version 4.5.0.56 or later. After updating, all credentials should be reset.