Brisbane IT services provider Global Secure Layer has discovered a zero day vulnerability in the SmartZone LAN controllers from networking company Ruckus.
In a tell-all blog post, the company revealed how its staff was able to discover a zero-day amplification vector affecting a number of networking controllers.
The company said its security mitigation team discovered the flaw in early June 2021, which at the time was not yet publicly identified by Ruckus. The vendor eventually posted this bulletin addressing the issue on 19 July 2021.
The flaw involved a vulnerability in the eAut module of some Ruckus’ SmartZone Controller models, including the SmartZone 100 (SZ-100), SmartZone 144 (SZ-144), SmartZone 300 (SZ300) and Virtual SmartZone - (vSZ).
“[The vulnerability] could allow an unauthenticated, remote attacker to perform a denial-of-service (DoS) attack against another network device by sending a crafted request to the vulnerable module,” Ruckus’ advisory warned.
A DNS amplification attack uses an incorrectly implemented and configured DNS server to strengthen a DoS attack by spoofing the IP address of the DNS resolver and replacing it with the victim's IP address. Global Secure Layer called it a ‘mixed’ amplification attack to account for multiple vectors used in a single attack, like DNS, NTP or MemCached.
The MSP said its mitigation systems have effectively blocked the DoS attack but made sure to categorise the vector correctly and placed stricter rules to fully block them and be visible to customer reports and live portals.
“As part of trying to categorise the vector we began looking for any service that ran on port 9001, but nothing in RFCs or unofficial assignments really lined up with the response we captured or our ethical scanning of the IPs that sent the attack traffic,” the blog post read.
“We decided to connect to the port and a few other ports on the IPs in question, upon connecting via SSH we were greeted by a big banner that said 'SmartZone 100' which lined up with Ruckus network controllers. This sequence of events held true for almost every IP we checked.”
The team found at the time that no one else had made the discovery, until a team member found a hidden post on a Ruckus online forum reporting the issue to the vendor. A Ruckus engineer replied to the post with "we use port 9001 for ElasticSearch DB update and also sync with member node in the vSZ/SZ Cluster,” which confirmed the discovery.
Global Secure Layer then pored through the attack traffic, most of which were payloads, to find some commonalities to block. The team found the destination port was always the same, which was common in amplification vectors.
“Our team painstakingly reviewed everything that was detected in the 24 hours that passed - ensuring the rule wasn't too broad and catching legitimate traffic,” the blog post read. “Luckily the rule we had written wasn't too broad, so we decided to activate it globally to be triggered when needed.”
After identifying the vector, Global Secure Layer wanted to test what the payload would be to trigger an attack and figure out a ough amplification factor/ratio.
“We checked our honey pots for any recent uptick in odd payloads sent to port 9001, but there wasn't anything that particularly stood out. Our security team tried a few things but eventually settled on a small malformed payload that triggers an error response,” they said.
A less than 30 byte request was sent as a test, and the response ballooned to between 5000 to 8000 bytes.
“This Ruckus vector, although the initial payload was quite small, the end result was quite a large amplification attack,” the blog post read.
“It highlighted the continued increase in the sophistication of DDoS attacks and more often than not the attack vectors that cause the most damage to the receiver are often small and understated on their own but can infiltrate a network and cause severe operational or financial implications.”