Enterprise access point maker Ruckus once again patched up command injection vectors that could completely compromise both the ZoneDirector controller, as well as the Unleashed AP. One of the vulnerabilities is in fact strikingly similar to an issue in another Ruckus Web-GUI I disclosed last year.

While vulnerability is essentially an inevitable fact of life for any sufficiently complex software, there are several mitigating factors that can often greatly reduce the impact of a successful exploit.

In the year 2017, there is no reason for some of these design failures to be happening in product after product. It is time that we as security professionals start expecting more from vendors.

With this in mind, I have compiled a list of some security practices we should consider as part of a baseline of security.

1. Stop running everything as root!

Perhaps in the early days of embedded Linux, resource constraints drove developers to drop the traditional user-based security model and do everything as root. Today, there is no excuse for having web servers running with full uid 0 permissions.

By default, management interfaces should be running with reduced privileges and only have the ability to perform a limited set of privileged operations. If Ruckus had taken the time to employ any form of privilege separation, it is unlikely that any of the vulnerabilities I’ve reported to them could be directly used for a complete compromise.

2. Anti-CSRF tokens should be everywhere!

Cross-site request forgery (CSRF) is one of the most ubiquitous security defects that I see in embedded devices. This is compounded by the fact that most IoT products are designed to blindly trust the local network or simply fail to properly validate authentication tokens.

If Ruckus had implemented CSRF protections after my last disclosure to them, these new vulnerabilities would (Read more...)