RUCKUS ADVISORY ID 111113-2 Customer release date: Sep 9, 2013 Public release date: Nov 11, 2013 TITLE Authenticated persistent cross site scripting vulnerability in guest pass provisioning web interface on ZoneDirector controllers SUMMARY A persistent cross site scripting vulnerability has been discovered in guest pass provisioning web interface on ZoneDirector controllers (ZD). For launching this attack, the attacker needs access to an authenticated user session with privileges for guest pass generation. AFFECTED SOFTWARE VERSIONS AND DEVICES Device Affected software - -------------------------- ------------------ ZoneDirector Controllers 9.3.x, 9.4.x, 9.5.x, 9.6.x Any products not mentioned in the table above are not affected DETAILS A persistent cross site scripting weakness has been discovered in the guest pass provisioning web interface of the ZoneDirector controller devices. An attacker with access to an authenticated user session with privileges for guest pass generation may cause certain malicious javascript code to execute in the user's browser with privileges of the user or the admin. The pre-requisite of this attack is that attacker has access to an authenticated user session with privileges for guest pass generation on the ZD. This issue does not affect any other Ruckus devices besides ZoneDirector controllers. IMPACT An attacker with access to an authenticated user session with privileges for guest pass generation may cause certain malicious javascript code to execute in the user's browser with privileges of the user or the admin. CVSS v2 BASE METRIC SCORE: 4.9 (AV:N/AC:M/Au:S/C:P/I:P/A:N) WORKAROUNDS Ruckus recommends that all customers apply the appropriate patch(es) as soon as practical for mitigating this attack. However, in the event that a patch cannot immediately be applied, the following suggestions might help reduce the risk: - - - Only launch web sessions to ZD's guest pass provisioning interface from trusted hosts with no connectivity to untrusted networks such as the Internet while the session is active. - Do not expose ZD's guest pass provisioning interface to untrusted networks such as the Internet. - Use a firewall to limit traffic to/from ZoneDirector's guest pass provisioning web interface to trusted hosts. SOLUTION Ruckus recommends that all customers apply the appropriate patch(es) as soon as practical. The following patches have the fix (any later patches will also have the fix): Branch Software Patch - - ------ ------------------ 9.3.x 9.3.4.0.21 9.4.x 9.4.3.0.22 9.5.x 9.5.2.0.15 9.6.x 9.6.1.0.15 CREDITS This vulnerability was reported by Erik van Eijk of Dutch Forensic Institute, Netherlands. OBTAINING FIXED FIRMWARE Ruckus customers can obtain the fixed firmware from the support website at https://support.ruckuswireless.com/ Ruckus Support can be contacted as follows: 1-855-RUCKUS1 (1-855-782-5871) (United States) The full contact list is at: https://support.ruckuswireless.com/contact-us PUBLIC ANNOUNCEMENTS This security advisory is strictly confidential and will be made available for public consumption in approximately 60 days on Nov 11, 2013 at the following source Ruckus Website http://www.ruckuswireless.com/security SecurityFocus Bugtraq http://www.securityfocus.com/archive/1 Future updates of this advisory, if any, will be placed on Ruckus's website, but may or may not be actively announced on mailing lists. REVISION HISTORY Revision 1.0 / 9th Sep 2013 / Initial release RUCKUS WIRELESS SECURITY PROCEDURES Complete information on reporting security vulnerabilities in Ruckus Wireless products, obtaining assistance with security incidents is available at http://www.ruckuswireless.com/security For reporting new security issues, email can be sent to security(at)ruckuswireless.com For sensitive information we encourage the use of PGP encryption. Our public keys can be found at http://www.ruckuswireless.com/security STATUS OF THIS NOTICE: Final Although Ruckus cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability. Ruckus does not anticipate issuing updated versions of this advisory unless there is some material change in the facts. Should there be a significant change in the facts, Ruckus may update this advisory. (c) Copyright 2013 by Ruckus Wireless This advisory may be redistributed freely after the public release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJSgmKQAAoJEFH6g5RLqzh1nWcH+QGWpcm0NUybC6hPt5e3HNg/ H/U9WDl1m0SUnfJ+8G0KGoy9zUJvgLrzuxtYSj/juyqoDfS3qnZa3xFvQOIEV0v3 jV3FzGn1EdfD4vHHG73C+r+jQzu4sh3Ys7DHLODJeF+2AOH0FWnycxmU/qeAf+qx OdC70u2kBh8rjH9NxTFrDR1fQWB2rpFwEMp3Wh2t8YrO4VLHursLU01UC8vtuJRF 5MR8mCBJu8aIr/II0BNXSHwzMb25T3BgsNCMMAAfV1ipkBMbG9UtoJ1Y7/rIDRHY gvbFCScr42z56ZGXSvT+Dc/6enCc0CXrToe3aYAEZbTBymBvvegYho6JOFq0w4Q= =K3PP -----END PGP SIGNATURE-----