#VU25252 Improper Authentication in Ruckus IoT vRIoT Server
Vulnerability identifier: #VU25252
Vulnerability risk: High
CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Ruckus IoT vRIoT Server
Web applications /
Remote management & hosting panels
Vendor: Ruckus Networks
Description
The vulnerability allows a remote attacker to compromise the affected device.
The vulnerability exists due to absent authentication at multiple API endpoint. A remote non-authenticated attacker can use the exposed APIs to download or delete system backups, manipulate modules configuration, reset the device.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected device.
Examples of exposed APIs without authentication:
/service/init/service/v1/db/restore/service/v1/db/backup/service/upgrade/flow/module//reset
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Ruckus IoT vRIoT Server: 1.4.0.0.17
External links
http://ssd-disclosure.com/archives/4099/ssd-advisory-ruckus-iot-vriot-server-vulnerabilities
http://support.ruckuswireless.com/software/2348-ruckus-iot-1-5-ga-vriot-server-software-release-ova-install-image
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
