-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RUCKUS ADVISORY ID 031813-2 Customer release date: March 25, 2013 Public release date: May 27, 2013 TITLE User authentication bypass vulnerability in ZoneDirector administrative web interface SUMMARY An user authentication bypass vulnerability has been discovered in ZoneDirector controllers during standard internal bug reporting procedures. This vulnerability may allow a malicious user to gain unauthorized access to the ZoneDirector administrative web interface. AFFECTED SOFTWARE VERSIONS AND DEVICES Device Affected software - ------------------------- ------------------ ZoneDirector Controllers 9.3.x, 9.4.x, 9.5.x Any products not mentioned in the table above are not affected DETAILS A weakness has been discovered in the administrative web interface of the ZoneDirector controller devices. A malicious user with network access to the device's web interface may obtain unauthorized access and perform administrative actions via the web interface. This issue only applies if ZoneDirector web interface is configured to authenticate admin user via remote authentication methods - RADIUS, LDAP or AD. The user does not have to be authenticated to the web interface for this attack to be successful. This issue does not affect any other Ruckus devices besides ZoneDirector controllers. IMPACT A malicious user with network access to the administrative web interface of the ZoneDirector controller device may obtain unauthorized access and perform administrative actions via this interface. CVSS v2 BASE METRIC SCORE: 8.8 (AV:N/AC:M/Au:N/C:C/I:C/A:N) CHECK IF YOU ARE VULNERABLE This issue is applicable only in certain configuration - This issue is applicable ONLY if ZoneDirector administrative web interface is configured to authenticate admin user via remote authentication methods: RADIUS, LDAP or AD. - ZoneDirector controller is NOT vulnerable if local authentication or TACACS is being used for authenticating admin user to the web interface. - No other Ruckus devices are vulnerable to this issue besides ZoneDirector controllers. WORKAROUNDS Ruckus recommends that all customers apply the appropriate patch(es) as soon as practical. However, in the event that a patch cannot immediately be applied, the following steps will help to mitigate the risk: - Do not expose management interfaces of Ruckus devices (including administrative web interface) to untrusted networks such as the Internet. - Use a firewall to limit traffic to/from ZoneDirector's administrative web interface to trusted hosts. - Switch to using local authentication or TACACS for ZoneDirector administrative web interface. SOLUTION Ruckus recommends that all customers apply the appropriate patch(es) as soon as practical. The following patches have the fix (any later patches will also have the fix): Branch Software Patch - ----------- ------------------ 9.3.x 9.3.4.0.17 9.4.x 9.4.3.0.16 9.5.x 9.5.1.0.50 OBTAINING FIXED FIRMWARE Ruckus customers can obtain the fixed firmware from the support website at https://support.ruckuswireless.com/ Ruckus Support can be contacted as follows: 1-855-RUCKUS1 (1-855-782-5871) (United States) e-mail: support at ruckuswireless.com The full contact list is at: https://support.ruckuswireless.com/contact-us PUBLIC ANNOUNCEMENTS This security advisory is strictly confidential and will be made available for public consumption in approximately 60 days on 27th May 2013 at the following source Ruckus Website http://www.ruckuswireless.com/security SecurityFocus Bugtraq http://www.securityfocus.com/archive/1 Future updates of this advisory, if any, will be placed on Ruckus's website, but may or may not be actively announced on mailing lists. REVISION HISTORY Revision 1.0 / 25th March 2013 / Initial release RUCKUS WIRELESS SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Ruckus Wireless products, obtaining assistance with security incidents is available at http://www.ruckuswireless.com/security For reporting new security issues, email can be sent to security(at)ruckuswireless.com For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.ruckuswireless.com/security STATUS OF THIS NOTICE: Final Although Ruckus cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Ruckus does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Ruckus may update this advisory. (c) Copyright 2013 by Ruckus Wireless This advisory may be redistributed freely after the public release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJRpPkNAAoJEFH6g5RLqzh1hXwIAJ0tvubpZ/px/XgsKQ8LrBEf FABBAZJ5A2j6UkS/0dcoEl7jMmCa9aczESezZIhqmUphV9guq7oNrnM/xbOZD+LL Xgx8qUurvTvOikp0pGdx9P6WOcewKkj98tBkl4Jz9LBztAoazoj0bH2Xbe3uhzu8 1maZ3FCGTLKEaYP3QCxPaHjaxf19FO2VqVI88RGyO3lpb3ibGm0DEHb+kyOBJitD FZX1t8JvIDfoEHKKBSVNWm6dXuNWcsM5eCpEOJactoFKAtwNW0xJUZnLPPG+m/5l d1lBJIaetNtoly0K/zYZw7X3CfC2U/dgAcDnGehfwcdAAtfGUqU1pR72eOa2EWA= =Duph -----END PGP SIGNATURE-----