CVE-2019-19836 – CVE-2019-19836 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2019-19836?

CVE-2019-19836 has a CVSS score of 9.8 (CRITICAL). CVE-2019-19836 is a critical remote code execution vulnerability in Ruckus Wireless Unleashed access points. It allows unauthenticated attackers to execute arbitrary commands via a crafted POST request to the tools/_rcmdstat.jsp endpoint. All organizations using affected Ruckus Wireless Unleashed firmware versions are vulnerable.

📋 TL;DR

CVE-2019-19836 is a critical remote code execution vulnerability in Ruckus Wireless Unleashed access points. It allows unauthenticated attackers to execute arbitrary commands via a crafted POST request to the tools/_rcmdstat.jsp endpoint. All organizations using affected Ruckus Wireless Unleashed firmware versions are vulnerable.

💻 Affected Systems

Products:

Ruckus Wireless Unleashed

Versions: Through 200.7.10.102.64

Operating Systems: Ruckus proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The vulnerable endpoint is accessible via the web management interface.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the wireless infrastructure, lateral movement to internal networks, persistent backdoor installation, and data exfiltration.

🟠

Likely Case

Unauthenticated remote code execution leading to network disruption, credential theft, and deployment of malware on the access point.

🟢

If Mitigated

Limited impact if network segmentation isolates wireless infrastructure and strict firewall rules block external access to management interfaces.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication via HTTP POST requests.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated attackers to compromise wireless infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code and detailed analysis available. The vulnerability is trivial to exploit with a simple HTTP POST request.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 200.7.10.102.92 and later

Vendor Advisory: https://www.ruckuswireless.com/security/299/view/txt

Restart Required: Yes

Instructions:

1. Download the latest firmware from Ruckus support portal. 2. Backup current configuration. 3. Upload and install the new firmware via web interface or CLI. 4. Reboot the access point. 5. Verify the firmware version is 200.7.10.102.92 or later.

🔧 Temporary Workarounds

Block access to vulnerable endpoint

linux

Use firewall rules or web application firewall to block access to /tools/_rcmdstat.jsp

iptables -A INPUT -p tcp --dport 80 -m string --string "/tools/_rcmdstat.jsp" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/tools/_rcmdstat.jsp" --algo bm -j DROP

🧯 If You Can't Patch

Isolate Ruckus management interfaces from untrusted networks using firewall rules
Implement network segmentation to limit lateral movement if access points are compromised

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (Administer > System > About) or CLI command 'show version'. If version is 200.7.10.102.64 or earlier, system is vulnerable.

Check Version:

show version (CLI) or check web interface at Administer > System > About

Verify Fix Applied:

Verify firmware version is 200.7.10.102.92 or later. Test by attempting to access https://<ruckus-ip>/tools/_rcmdstat.jsp - should return 404 or access denied.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /tools/_rcmdstat.jsp
Unusual process execution on access point
Configuration changes not initiated by administrators

Network Indicators:

POST requests to /tools/_rcmdstat.jsp with filename parameters
Unusual outbound connections from access points

SIEM Query:

source="ruckus-ap" AND (url="/tools/_rcmdstat.jsp" OR method="POST" AND url CONTAINS "_rcmdstat")

📊 Metadata

CVE ID: CVE-2019-19836

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: January 22, 2020

Last Updated: November 21, 2024

🔗 References

https://alephsecurity.com/2020/01/14/ruckus-wireless Exploit,Technical Description,Third Party Advisory
https://fahrplan.events.ccc.de/congress/2019/Fahrplan/events/10816.html Third Party Advisory
https://www.ruckuswireless.com/security/299/view/txt Vendor Advisory
https://alephsecurity.com/2020/01/14/ruckus-wireless Exploit,Technical Description,Third Party Advisory
https://fahrplan.events.ccc.de/congress/2019/Fahrplan/events/10816.html Third Party Advisory
https://www.ruckuswireless.com/security/299/view/txt Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19836, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Unleashed by Ruckuswireless

Zonedirector 1200 Firmware by Ruckuswireless

Zonedirector 1200 Firmware by Ruckuswireless

Zonedirector 1200 Firmware by Ruckuswireless

Zonedirector 1200 Firmware by Ruckuswireless

Zonedirector 1200 Firmware by Ruckuswireless

Zonedirector 1200 Firmware by Ruckuswireless

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Block access to vulnerable endpoint

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities