CVE-2021-33216
published 2021-07-07CVE-2021-33216: An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. An Undocumented Backdoor exists, allowing shell access via a developer account.
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
13.77%
96.0th percentile
An issue was discovered in CommScope Ruckus IoT Controller 1.7.1.0 and earlier. An Undocumented Backdoor exists, allowing shell access via a developer account.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| commscope | ruckus_iot_controller | <= 1.7.1.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCp1X4UH+0IALnLKsqbSZwgbzA1clXWXguNpTZ+Km7irkMaXVRt6IL78mdK+nKUvvQcRnAhQ0TgoqINrdLzMTYwoVaOcBq5Lw21A5JrP8IQANMAiVSM30umJYuTqnbPO4HHIi9/Gk/wUtJiwvD/ygNx7z0g1a9PIzQxOITLpwVkEU2iDdlrZDHR35jI/ddRRsbPe9ezeYGDoprgQagw634fa9tzI74oj5/Xh64679yjA0bQx+i8ZXSIHFPSHp0yiDyMZfvLIqdqb0mEAN1JnaHfIiq4o8/wa8zp7nVADo6Pxweklc1kqALFUxrzdP/6Z0hITp1Ke/xdA2S4LT3ye85QVM/k3Dd54qFpMAJsinYb18Ykyj0PTZskcBWB+l9VevpJXv+3DDH2+98Ledv/fnXQ9VapxW572fX2HkEoh4Nmt5VUx0JPR/0onwOVeuwQLp5qnHxmzgL8DMS62QkTT1VdaCqXS01DMPorKQUtmvAxohJUJX4df9JoOcwRpvKSspn+6UU1krPZHX1QYvPrRsfYhJ9SCzrVxmuC0DR3FqxGoix5su4DqCpRxq0QhwC4+DwIMt4KTIjF3p35s+bjP1luwITJOxVlIswpyZKS0hITFLJtAE7c493wX7hxUdy+LfyHXlMIoJcYM11WXLAysHcWyfmSpQ8H5GV0vxela0Qg7Q== [email protected]↗
- →Detect SSH authentication attempts using the backdoor account 'vriotiotupgrade' in SSH logs or auth logs on Ruckus IoT Controller appliances. ↗
- →Alert on the presence of the hardcoded RSA public key (key comment: [email protected]) in any authorized_keys file on the system. ↗
- →Monitor for SCP connections (TCP/22) to Ruckus IoT Controller appliances from unexpected external sources, as the backdoor account is restricted to SCP per rssh configuration. ↗
- →Check for the presence of the 'vriotha' local account with password authentication enabled in sshd_config, which may indicate a secondary backdoor account. ↗
- →The installed rssh version 2.3.4 is vulnerable to CVE-2019-3463, CVE-2019-3464, and CVE-2019-1000018 (remote command injection); chain detection for rssh exploitation attempts on the vriotiotupgrade account. ↗
- ·The backdoor account 'vriotiotupgrade' has PasswordAuthentication disabled; access requires possession of the corresponding SSH private key for the hardcoded RSA public key. ↗
- ·The rssh configuration only permits 'allowscp', meaning the backdoor is specifically scoped to SCP file transfer — not interactive shell — unless chained with an rssh command injection CVE. ↗
- ·The identical hardcoded authorized_keys file is present in two separate paths within the OVA/VMDK, both granting the same backdoor access. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2021-07-07
Published