CVE-2024-50606: Ruckus Networks / CommScope FastIron OS FIPS/CC Trust Chain Bypass Vulnerability
Summary A critical vulnerability in the CommScope Ruckus FastIron OS affects the integrity verification and trust chain mechanisms used in the entire ICX switch product line. The flaw allows attackers to bypass firmware validation, enabling persistent compromise even in devices operating in FIPS/Common Criteria mode. Vendor Ruckus Networks / CommScope. Technical details The vulnerability originates from fundamental design flaws in the integrity verification and trust mechanisms implemented within FastIron OS. Specifically, the verification procedures performed by FastIron occur in user-space after the system has already booted, making them vulnerable to Time of Check, Time of Use (TOCTOU) race conditions. An attacker capable of code execution on the device can exploit this flaw to alter firmware binaries or configuration files post-verification, thereby maintaining persistent unauthorized access and compromising device integrity assurances provided under FIPS/CC certifications.
CVE-2024-50605: Ruckus Networks / CommScope FastIron OS Arbitrary File Write Vulnerability
Summary An arbitrary file write vulnerability exists in CommScope Ruckus FastIron OS, affecting ICX switches. The issue allows an authenticated attacker to write files to predictable or known locations, enabling persistent device compromise. Vendor Ruckus Networks / CommScope. Technical details This vulnerability stems from inadequate file management practices in FastIron OS. Upon failing validation of trusted certificates, the OS neglects to properly clean up files that were fetched or written during verification. An attacker can explzit this behavior by intentionally triggering failed validations, resulting in arbitrary files being written to predictable or controllable locations. This enables subsequent exploitation, including command execution or establishing persistent unauthorized access.
CVE-2024-50604: Ruckus Networks / CommScope FastIron OS Firmware Package Integrity Check Vulnerability
Summary A vulnerability in firmware integrity verification exists in the CommScope Ruckus FastIron operating system. This issue allows bypassing verification checks, facilitating firmware manipulation and persistent compromise, especially in the context of supply chain attacks. Vendor Ruckus Networks / CommScope. Technical details FastIron OS uses a user-land executable, checksum_vrfy, to validate firmware image packages. Due to design and implementation flaws, this verification suffers from Time of Check, Time of Use (TOCTOU) vulnerabilities. Attackers can exploit the delay between validation and use of firmware components to inject malicious code, bypassing the intended integrity checks. In addition, firmware images can be readily manipulated to contain malicious components will be ignored by the verification process.
CVE-2024-50607: Ruckus Networks / CommScope FastIron OS CLI Path Traversal Vulnerability
Summary A path traversal vulnerability exists in the CommScope Ruckus FastIron operating system affecting the entire ICX switch product line. The vulnerability allows an authenticated attacker to manipulate file operations, potentially resulting in arbitrary file overwrite and leading to further exploitation and persistence. Vendor Ruckus Networks / CommScope. Technical details The vulnerability resides in the handling of parameters passed to the copy command within FastIron OS. Insufficient validation allows specially crafted parameters containing directory traversal sequences (../) to escape intended file operation boundaries. Exploiting this issue enables an attacker to overwrite sensitive files or binaries, potentially gaining arbitrary command execution or persistent compromise.
CVE-2010-3790: Apple QuickTime Pict File Matrix Parsing Remote Code Execution Vulnerability
Summary Apple QuickTime before Mac OS X v10.6.8 and Security Update 2011-004 does not properly handle Matrix structures in PICT files with out-of-bounds index values. The result write access to an out-of-bounds memory address can be successfully used to execute arbitrary code under the context of the application loading the image, without user interaction. Technical details This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
Disclosure Policy
Subreption adheres to a so-called responsible disclosure policy with cooperative and responsive vendors. Exceptions include sanctioned entities, vendors known to be openly or covertly hostile towards researchers, as well as those engaged in PR practices involving deceptive marketing and other questionable behavior.
Read our Vulnerability Disclosure Policy.
Newsletter
Receive our latest updates via e-mail.