So I think there are 2 'bad guys' in this story.
Bad guys #1: Security Researchers (obviously).
In this case, it looks like Moshe made a couple of attempts to use a broken Hacker One web form, then convinced CERT/CC to do a hit-piece.
I know
for a fact that these CVEs could have been escalated through support or sales, since I have successfully done so.
These security 'research' companies have an incentive to make the biggest splash possible, and there is absolutely no downside to making spurious claims.
If you read most PR from security research companies, their technical analyses are full of exaggerations and hyperbole. So it's unsurprising they were out to do the worst possible hatchet job with the non-techy stuff too. But shame on CERT/CC for being so credulous.
And then BleepingComputer publish an article THE NEXT DAY (which, like every other security news site, just repackaged the PR) headed "
Ruckus Networks leaves severe flaws unpatched", claiming "BleepingComputer attempted to contact Ruckus via multiple communication channels, but we were unable to reach out".
I mean, the relevant Ruckus people probably found out about this issue after Bleeping Computer had already published. Even if time zones weren't a thing, expecting your initial contact with someone at Ruckus to result in an instant official response to this security ambush was unfair.
Tom Lawrence's video was sensationalist too, and not particularly accurate. There's super bad stuff to be exploited, but not most of the stuff he complains about. At least he's honest about "translating ...xxx.. into engaging content", rather than claiming to carefully research his topic.
Bad guys #2: Ruckus (obviously).
- Their software development process obviously lacks competent security gates. Maybe there are no security checks/KPIs at all?
- They make it difficult to report security issues.
- Once you do report a security issue, then you aren't allowed any direct contact with Ruckus, and you often get no credit at all. And they expect you to put up with this for $0, because that's their bug bounty.
- Ruckus silently roll out critical security fixes, but then they don't encourage you to upgrade regularly!
I understand (1): I know a couple of developers working on enterprise network equipment. The pay is low and the work is mostly drudgery, so the staff are either very junior or not particularly interested in keeping up-to-date with modern software practice. Every Ruckus security issue I've mentioned to them, they were "oh yeah, we'd have that issue too". Doesn't make it right though. This has been going on for so many years that I assume enterprise networking companies just figure occasional bad press is cheaper than hiring good quality software developers.
Every piece of enterprise network equipment I personally own is riddled with software vulnerabilities. A big part of the reason Ruckus are a popular target is that they give their software away freely: anyone can download firmware and pull it apart. And they support their hardware for a long time, so hackers can target even non-VM platforms for almost-free by visiting eBay.
The Ruckus firmware/software modus operandi is to build something once, then just piecemeal upgrade components when absolutely necessary. So it's common to find 10+ year old code hanging around in the latest product versions. Not great for security.
If you're going to be lazy like this then you MUST have a continuous process to scan for newly identified classes of vulnerability. Note I say
classes. Ruckus are a little better now, but in the past I've seen them fix a reported security issue but leave an adjacent instance of the same issue
on the same webpage unfixed. But still, when something is fixed in Unleashed today, nobody is visiting SmartZone and fixing the equivalent problem.
I complained on Reddit about the (broken) Ruckus security form actually going directly to Hacker One, bypassing Ruckus. An employee said "we're listening", but the embedded Hacker One form was still broken for me when I looked a couple of days ago.
I don't know if it's broken because Firefox, or because Firefox/Android, or because ad-blocking. But I also don't care: I just don't bother reporting vulnerabilities unless they're terrible.
It's annoying that e.g. their Ruckus One trial form requires you to disable ad-blocking otherwise it disappears. But it's unforgivable that their security reporting form is (i) 100% outsourced, and (ii) non-functional. Give me a security contact email!!!! Let the team behind this email submit the Hacker One form, keep me informed, and monitor progress to ensure they don't lose a huge issue between the cracks. Are you really getting so many security vulnerabilities reported that this is too much work????
