Headline
Update now! Ruckus vulnerability added to CISA’s list of actively exploited bugs
Categories: Exploits and vulnerabilities Categories: News Tags: Ruckus
Tags: CISA
Tags: AndoryuBot
Tags: CVE-2023-25717
Tags: 163.123.142.146
CISA has added a Ruckus vulnerability being abused by the AndoryuBot botnet to its catalog.
(Read more…)
The post Update now! Ruckus vulnerability added to CISA’s list of actively exploited bugs appeared first on Malwarebytes Labs.
Along with six older vulnerabilities, the Cybersecurity and Infrastructure Agency (CISA) has added a vulnerability in multiple Ruckus wireless products to the Known Exploited Vulnerabilities Catalog. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities by June 2, 2023.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The Ruckus vulnerability is listed under CVE-2023-25717, which indicates that Ruckus Wireless Access Point software contains a vulnerability in its web services component. If the component is enabled on the access point, an attacker can perform cross-site request forgery (CSRF) or remote code execution (RCE). This vulnerability reportedly impacts Ruckus ZoneDirector, SmartZone, and Solo Aps with Ruckus Wireless Admin panels version 10.4 and older.
The Ruckus security bulletin about the vulnerability, issued on February 8, 2023 and edited on May 11, 2023, displays a long list of affected devices. Several of these devices have reached end-of-life (EoL) which means they may not get patched against this vulnerability. Users of supported devices can find download links and install instructions by following the links behind their specific product.
One malware operator that has been found to exploit vulnerable Ruckus devices is the relatively new botnet, AndoryuBot. Infected devices are used to propagate the botnet malware to other devices and are used in DDoS attacks. To avoid detection and to bypass firewalls, the botnet uses the SOCKS proxying protocol. SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. This protocol is often used because it allows traffic to bypass Internet filtering to access content which would otherwise be blocked, but it can also be used to circumvent blocklists and firewall rules.
Protection
To protect your devices against the AndoryuBot botnet which seems to thrive on this vulnerability, you should install the available patches and replace the legacy devices that have reached EoL.
Other measures to protect your devices from falling prey to botnets are:
- Use strong passwords and multi-factor authentication where possible.
- Do not make your admin panels accessible from the internet if you can avoid it. If you can’t completely disable remote access, use very strict access policies.
- Segregate your network so critical components are separated from vulnerable assets.
- Apply active protection software and monitor network traffic.
The Malwarebytes web protection module blocks the download of the botnet malware:
Malwarebytes blocks 163.123.142.146
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.
Related news
A nascent botnet called Andoryu has been found to exploit a now-patched critical security flaw in the Ruckus Wireless Admin panel to break into vulnerable devices. The flaw, tracked as CVE-2023-25717 (CVSS score: 9.8), stems from improper handling of HTTP requests, leading to unauthenticated remote code execution and a complete compromise of wireless Access Point (AP) equipment. Andoryu was
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring.