-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2021-007: CommScope Ruckus IoT Controller Undocumented Account Title: CommScope Ruckus IoT Controller Undocumented Account Advisory ID: KL-001-2021-007 Publication Date: 2021.05.26 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2021-007.txt 1. Vulnerability Details Affected Vendor: CommScope Affected Product: Ruckus IoT Controller Affected Version: 1.7.1.0 and earlier Platform: Linux CWE Classification: CWE-798: Use of Hard-coded Credentials, CWE-912: Hidden Functionality CVE ID: CVE-2021-33216 2. Vulnerability Description An upgrade account is included in the IoT Controller OVA that provides the vendor undocumented access via Secure Copy (SCP). 3. Technical Description Once the OVA is imported into VirtualBox, a VMDK file is created. The VMDK file can be mounted and the directory structure and its contents can be perused. An authorized_keys file exists that allows an individual/organization possessing the SSH private key to access the virtual appliance using the 'vriotiotupgrade' account. The 'vriotiotupgrade' account is restricted to scp, per the rssh configuration. Additionally, it appears that the IoT Controller has rssh version 2.3.4 installed and in use. At the time of this advisory, there are at least three remote command injection vulnerabilities in this particular version of rssh: CVE-2019-3463, CVE-2019-3464 and CVE-2019-1000018. 4. Mitigation and Remediation Recommendation The vendor has released an updated firmware (1.8.0.0) which remediates the described vulnerability. Firmware and release notes are available at: https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf 5. Credit This vulnerability was discovered by Jim Becher (@jimbecher) of KoreLogic, Inc. 6. Disclosure Timeline 2021.03.30 - KoreLogic submits vulnerability details to CommScope. 2021.03.30 - CommScope acknowledges receipt and the intention to investigate. 2021.04.06 - CommScope notifies KoreLogic that this issue, along with several others reported by KoreLogic, will require more than the standard 45 business day remediation timeline. 2021.04.06 - KoreLogic agrees to extend disclosure embargo if necessary. 2021.04.30 - CommScope informs KoreLogic that remediation for this vulnerability will be available inside of the standard 45 business day timeline. Requests KoreLogic acquire CVE number for this vulnerability. 2021.05.14 - 30 business days have elapsed since the vulnerability was reported to CommScope. 2021.05.17 - CommScope notifies KoreLogic that the patched version of the firmware will be available the week of 2021.05.24. 2021.05.19 - KoreLogic requests CVE from MITRE. 2021.05.19 - MITRE issues CVE-2021-33216. 2021.05.25 - CommScope releases firmware 1.8.0.0 and associated advisory. 2021.05.26 - KoreLogic public disclosure. 7. Proof of Concept With the VMDK file mounted at the current working directory: $ find . -name authorized_keys ./VRIOT/ap-images/authorized_keys ./VRIOT/ops/ap-images/authorized_keys $ cat VRIOT/ap-images/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCp1X4UH+0IALnLKsqbSZwgbzA1clXWXguNpTZ+Km7irkMaXVRt6IL78mdK+nKUvvQcRnAhQ0TgoqINrdLzMTYwoVaOcBq5Lw21A5JrP8IQANMAiVSM30umJYuTqnbPO4HHIi9/Gk/wUtJiwvD/ygNx7z0g1a9PIzQxOITLpwVkEU2iDdlrZDHR35jI/ddRRsbPe9ezeYGDoprgQagw634fa9tzI74oj5/Xh64679yjA0bQx+i8ZXSIHFPSHp0yiDyMZfvLIqdqb0mEAN1JnaHfIiq4o8/wa8zp7nVADo6Pxweklc1kqALFUxrzdP/6Z0hITp1Ke/xdA2S4LT3ye85QVM/k3Dd54qFpMAJsinYb18Ykyj0PTZskcBWB+l9VevpJXv+3DDH2+98Ledv/fnXQ9VapxW572fX2HkEoh4Nmt5VUx0JPR/0onwOVeuwQLp5qnHxmzgL8DMS62QkTT1VdaCqXS01DMPorKQUtmvAxohJUJX4df9JoOcwRpvKSspn+6UU1krPZHX1QYvPrRsfYhJ9SCzrVxmuC0DR3FqxGoix5su4DqCpRxq0QhwC4+DwIMt4KTIjF3p35s+bjP1luwITJOxVlIswpyZKS0hITFLJtAE7c493wX7hxUdy+LfyHXlMIoJcYM11WXLAysHcWyfmSpQ8H5GV0vxela0Qg7Q== chandini.venkatesh@commscope.com $ cat VRIOT/ops/ap-images/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCp1X4UH+0IALnLKsqbSZwgbzA1clXWXguNpTZ+Km7irkMaXVRt6IL78mdK+nKUvvQcRnAhQ0TgoqINrdLzMTYwoVaOcBq5Lw21A5JrP8IQANMAiVSM30umJYuTqnbPO4HHIi9/Gk/wUtJiwvD/ygNx7z0g1a9PIzQxOITLpwVkEU2iDdlrZDHR35jI/ddRRsbPe9ezeYGDoprgQagw634fa9tzI74oj5/Xh64679yjA0bQx+i8ZXSIHFPSHp0yiDyMZfvLIqdqb0mEAN1JnaHfIiq4o8/wa8zp7nVADo6Pxweklc1kqALFUxrzdP/6Z0hITp1Ke/xdA2S4LT3ye85QVM/k3Dd54qFpMAJsinYb18Ykyj0PTZskcBWB+l9VevpJXv+3DDH2+98Ledv/fnXQ9VapxW572fX2HkEoh4Nmt5VUx0JPR/0onwOVeuwQLp5qnHxmzgL8DMS62QkTT1VdaCqXS01DMPorKQUtmvAxohJUJX4df9JoOcwRpvKSspn+6UU1krPZHX1QYvPrRsfYhJ9SCzrVxmuC0DR3FqxGoix5su4DqCpRxq0QhwC4+DwIMt4KTIjF3p35s+bjP1luwITJOxVlIswpyZKS0hITFLJtAE7c493wX7hxUdy+LfyHXlMIoJcYM11WXLAysHcWyfmSpQ8H5GV0vxela0Qg7Q== chandini.venkatesh@commscope.com $ grep "ap-images" etc/passwd vriotiotupgrade:x:1002:1002::/VRIOT/ap-images/:/usr/bin/rssh $ tail -8 etc/ssh/sshd_config Match User vriotiotupgrade PasswordAuthentication no AuthorizedKeysFile /VRIOT/ap-images/authorized_keys Match User vriotha PasswordAuthentication yes $ grep -v ^# etc/rssh.conf logfacility = LOG_USER allowscp umask = 022 The contents of this advisory are copyright(c) 2021 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt -----BEGIN PGP SIGNATURE----- iQJOBAEBCAA4FiEETtzSIGy8wE6Vn0geUk0uR1lFz/MFAmCuspsaHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQUk0uR1lFz/MTKhAA37+i8nomfQG1wdwUygow zEJiG1r4ctLRfiOdXQ8V2DKqv4hj6+hgbJVKcQ5Y+rVGB+JrNVQj1LkGFw6PhA1M mCy34MUx+jDHME15xGrTDcr8in4d3BjujgESNfOBrJfluaA8r5YAnFO5CHIZTv5T V0z3cfJ23UrmIi1WLHr3nme6LfhAZo2K4znelKkBGAwLHXA6br1jKgkwBtLT3sdz baU7zq5WICpL93Ae3vf/Z/WQJpXM9h3abC0f/C6HBSZglDo9H/P+FYUtGKjAk9+X ud0fDMjLg+nF001JLOTc7O+RcugTjkNl40dW3JYj3pk6/ad5SSPvLTiOVF+NE1cT rOh5kT0oKAP/cfcOgUMP+8dSiI1e00zE/n+YYsP1iylN7IoUvOzFL/8Bv7/1wn3d XFpIIOjADuMJYYPd/Z8CZ43hEaIFs9SMLIWoCCXPiRP/xfWDsFo603qG2ENIuQp3 txujAkhaCyNq/yPAKq+s4MrVIVk6xSMRswllPOKJt2upgcY+2urgRdbapQ6Z5gKm tpFKoYj7lRQAPoUiBxhR9WuXa2mLa/dc6hCEonEr1rqZvvSomDsESCbd51LI4bKe mHU3YRKE6+1dEyJ0XK5kFkIEeuiqG5IfaHeULlEzgyAQ88Fn+Vfr2b9bafZvwIa0 P8jBBcFWnMsjIjaxp1xSr1o= =xyuI -----END PGP SIGNATURE-----