In RUCKUS Network Director (RND) < 4.5.0.56, the OVA appliance contains hardcoded SSH keys for the postgres user. These keys are identical across all deployments, allowing an attacker with network access to authenticate via SSH without a password. Once authenticated, the attacker can access the PostgreSQL database with superuser privileges, create administrative users for the web interface, and potentially escalate privileges further.
The OVA appliance supplied with the product contains static, immutable SSH keys assigned to the postgres user account. Since these same keys are embedded in all RND installations, any attacker with network access to the device can authenticate via SSH without entering a password. After gaining access, the attacker has superuser privileges to the PostgreSQL database, allowing creation of administrative accounts in the web interface and further privilege escalation.
An unauthenticated attacker can gain full control over the PostgreSQL database with superuser privileges, create web interface administrator accounts, and escalate privileges in the system, leading to complete device takeover and potential RCE.
Update RUCKUS Network Director to version 4.5.0.56 or later. Detailed information is available in Commscope's official security bulletin. Until the patch is deployed, it is recommended to restrict network access to the device's SSH ports only to trusted administrative hosts using a firewall or ACL lists.
Commscope RUCKUS Network Director (RND) in versions earlier than 4.5.0.56, deployed as an OVA appliance.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCommscope Ruckus Network Director
APPCommscope< 4.5.0.56
Related vulnerabilities
Hardcoded credentials w Ruckus Network Director — dostęp do PostgreSQL i RCE
Command injection w RUCKUS SmartZone przez pole adresu IP
Hardcodowany klucz JWT w Commscope Ruckus Network Director — spoofing administratora
RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build allows OS command injection via a certain parameter in an A...
RUCKUS Network Director (RND) before 4.5 allows jailed users to obtain root access vis a weak, hardcoded passw...