Analysis Summary

Researchers have found several vulnerabilities in Ruijie Networks' cloud management platform that might allow an attacker to take over the network appliances. These flaws impact Reyee OS network devices and the Reyee platform. If the vulnerabilities are exploited, a malevolent attacker may be able to take control of tens of thousands of devices by executing code on any device connected to the cloud.

In addition to identifying ten vulnerabilities, the operational technology (OT) security firm that conducted extensive research on the Internet of Things (IoT) vendor also developed an attack known as "Open Sesame" that can be used to access an access point and obtain unauthorized network access remotely. Three of the ten vulnerabilities have a critical severity rating:

• CVE-2024-47547 (CVSS score: 9.4): The authentication process is exposed to brute force attacks due to the use of a weak password recovery mechanism.
• CVE-2024-48874 (CVSS score: 9.8): Ruijie's internal services and cloud infrastructure could be accessed using AWS cloud metadata services due to a server-side request forgery (SSRF) vulnerability.
• CVE-2024-52324 (CVSS score: 9.8): Utilizing an intrinsically risky feature that might enable a threat actor to transmit a malicious MQTT message, which might cause devices to carry out arbitrary operating system commands.

According to the researchers, it is also simple to break MQTT authentication by knowing the device's serial number (CVE-2024-45722, CVSS score: 7.5). This may then be used to get access to Ruijie's MQTT broker and obtain a complete list of all the serial numbers of devices connected to the cloud. Researchers could create legitimate authentication credentials for every device linked to the cloud using the disclosed serial numbers. This gave them the ability to carry out a variety of denial-of-service operations, such as disconnecting devices by authenticating on their behalf and even sending fictitious events and messages to the cloud, which would provide users of these devices with inaccurate data.

The device's serial number may also be used as a weapon to gain access to all MQTT message queues and send malicious commands that would be executed on all devices connected to the cloud (CVE-2024-52324). But that's not all. By intercepting the raw Wi-Fi beacons, an attacker physically close to a Ruijie access point-based Wi-Fi network might also obtain the device's serial number. Then, they could execute code remotely using the other flaws in MQTT communication. The CVE number for the Open Sesame exploit is CVE-2024-47146 (CVSS score: 7.5).

After responsible disclosure, the Chinese corporation has repaired all of the cloud's detected flaws, so users don't need to do anything. It is anticipated that these flaws may have affected roughly 50,000 cloud-connected devices. This is yet another illustration of how flaws in so-called IoT devices, such as wireless access points, routers, and other linked objects, allow for much more sophisticated network attacks despite having a relatively low barrier to entry.

Impact

• Unauthorized Access
• Code Execution
• Denial of Service
• Security Bypass

Indicators of Compromise

CVE

• CVE-2024-47547
• CVE-2024-48874
• CVE-2024-52324

Affected Vendors

Affected Products

• Ruijie Reyee OS - 2.206.x

Remediation

• Upgrade to the latest version of Reyee OS, available from the Ruijie Website.
• Regularly update firmware on all network devices, especially those identified as vulnerable.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Immediately change default passwords on IoT devices to unique ones.
• Keep devices' firmware and software up to date to ensure that known vulnerabilities are patched.
• Implement firewalls and intrusion detection systems to monitor and control traffic to and from IoT devices.
• Employ tools that can identify unusual behavior or traffic patterns that might indicate a DDoS attack or a compromised device.
• Disable any unnecessary services or features on IoT devices to reduce their attack surface.
• Follow security best practices, such as disabling remote management if not needed and enabling security features provided by the device manufacturer.
• Deploy intrusion detection and prevention systems (IDS/IPS) to monitor for anomalous or malicious network activity.
• Set up alerts for unusual traffic patterns that might indicate a DDoS attack or a compromised device.
• Educate and inform users and administrators about the importance of timely updates and secure configurations.
• Implement robust firewall and intrusion prevention systems to filter malicious traffic.