CVE-2019-19843

Vulnerability

An incorrect access control vulnerability exists in the web interface of Ruckus Wireless Unleashed firmware versions through 200.7.10.102.64. The issue involves a symlink attack between web/user/wps_tool_cache and /tmp, enabling an unauthenticated HTTP request to retrieve credentials. All tested Ruckus access point models (including C110, E510, H320, H510, M510, R310, R500, R510, R600, R610, R710, R720, T300, T301n, T310d, T610, T710, T710s) running affected firmware are vulnerable [1].

Exploitation

An attacker with network access to the vulnerable device can send an unauthenticated HTTP request that leverages a symlink between /tmp and the web/user/wps_tool_cache endpoint. The attack requires no prior authentication and no user interaction; the request directly fetches cached credential data [1][3].

Impact

Successful exploitation leads to disclosure of cached credentials from the device. This information leak can be used as a stepping stone for further attacks, including authentication bypass and remote code execution as demonstrated in the referenced research [1][3]. The attacker gains sensitive credentials without authentication, compromising confidentiality.

Mitigation

Ruckus has not provided a patched firmware version in the available references. Users should restrict network access to the web interface and monitor for firmware updates from Ruckus. The vendor's security advisory page does not currently list a fix [2]. Devices exposed to the internet via Shodan have been identified, increasing risk [1].