Remote command injection via a crafted HTTP request (cmdPacketCapture)

Aleph Research Advisory

Identifier

CVE-2019-19841

Severity

Critical

Product

- ZoneDirector - Unleashed

Vulnerable Version

- ZoneDirector: 9.9 and before - ZoneDirector: 9.10.x - ZoneDirector: 9.12.x - ZoneDirector: 9.13.x - ZoneDirector: 10.0.x - ZoneDirector: 10.1.x - ZoneDirector: 10.2.x - ZoneDirector: 10.3.x - Unleashed: 200.6 and before - Unleashed: 200.7

Mitigation

- 9.10.x: Upgrade to 9.10.2.0.84 - 9.12.x: Upgrade to 9.12.3.0.136 - 9.13.x: Upgrade to 10.0.1.0.90 - 10.0.x: Upgrade to 10.0.1.0.90 - 10.1.x: Upgrade to 10.1.2.0.275 - 10.2.x: Upgrade to 10.2.1.0.147 - 10.3.x: Upgrade to 10.3.1.0.21 - 200.6 and before: Upgrade to 200.7.10.202.94 - 200.7: Upgrade to 200.7.10.202.94

Technical Details

Remote command injection via a crafted HTTP request, caused by insufficient input validation

cmdPacketCapture() function in emfd executable runs system() with insufficient input validation on mac attribute. As a result a crafted POST request with attribute xcmd=packet-capture to the web interface page /admin/_cmdstat.jsp injects OS command.

Timeline

19-Sep-19
: Reported to Ruckus Product Security Team
24-Dec-19
: Patch
17-Dec-19
: CVE-2019-19841 assigned
31-Dec-19
: Public disclosure

Credit

waveburst of Aleph Research, HCL Software