Full Report
Cybersecurity researchers have discovered several security flaws in the cloud management platform developed by Ruijie Networks that could permit an attacker to take control of the network appliances. "These vulnerabilities affect both the Reyee platform, as well as Reyee OS network devices," Claroty researchers Noam Moshe and Tomer Goldschmidt said in a recent analysis. "The vulnerabilities, if
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Ruijie Networks Reyee Cloud Management Platform and OS Devices
## CVE Details
- CVE ID: CVE-2024-47547, CVE-2024-48874, CVE-2024-52324, CVE-2024-45722, CVE-2024-47146 (Open Sesame attack)
- CVSS Score: 9.4 (Critical), 9.8 (Critical), 9.8 (Critical), 7.5 (High), 7.5 (High)
- CWE: Use of Weak Password Recovery (CWE-638), Server-Side Request Forgery (CWE-918), Use of Inherently Dangerous Function (CWE-825) (Implied/Observed)
## Affected Systems
- Products: Ruijie Networks Reyee platform and Reyee OS network devices (including Wi-Fi Access Points).
- Versions: All cloud-enabled devices are potentially impacted by the identified shortcomings prior to patching. Total impacted devices estimated around 50,000.
- Configurations: Devices connected to the Ruijie cloud infrastructure. Exploitation of CVE-2024-47146 requires physical adjacency to a Wi-Fi network using the affected access points.
## Vulnerability Description
Researchers identified 10 vulnerabilities affecting Ruijie's cloud platform, allowing attackers to execute arbitrary code on cloud-enabled devices.
Key findings include:
1. **RCE via MQTT (CVE-2024-52324):** Use of an inherently dangerous function allows an attacker to send a malicious MQTT message, leading to the execution of arbitrary operating system commands on vulnerable devices.
2. **SSRF in Cloud Infrastructure (CVE-2024-48874):** Allows attackers to interact with internal services used by Ruijie, including AWS cloud metadata services.
3. **Weak Password Recovery (CVE-2024-47547):** A weak mechanism is susceptible to brute force attacks, compromising authentication.
4. **Serial Number Leakage and Exploitation (CVE-2024-45722 & CVE-2024-52324 Chain):** Attackers can break MQTT authentication simply by knowing a device’s serial number. This allows them to receive a full list of all connected device serial numbers, generate valid credentials for all devices, execute DoS attacks, and send malicious commands via MQTT causing device-wide execution (tied back to CVE-2024-52324).
The **"Open Sesame" attack (CVE-2024-47146)** chains these MQTT vulnerabilities. An adjacent attacker can extract a device serial number by sniffing Wi-Fi beacons, then use this information to exploit MQTT flaws to achieve RCE over the cloud connection.
## Exploitation
- Status: PoC available (Researchers devised and demonstrated the "Open Sesame" attack chain).
- Complexity: Exploitation varies; some steps (like credential generation via serial number) appear low complexity, while RCE requires chaining multiple flaws.
- Attack Vector: Network (for SSRF and MQTT attacks); Adjacent (for initial serial number extraction in Open Sesame to facilitate cloud RCE).
## Impact
- Confidentiality: High (Unauthorized access to internal cloud infrastructure; potential for data exfiltration via command execution).
- Integrity: Critical (Ability to execute arbitrary OS commands; sending fabricated messages and false data to users).
- Availability: High (Ability to disconnect devices via authenticated DoS attacks).
## Remediation
### Patches
- Following responsible disclosure, all identified shortcomings **have been fixed by the vendor in the cloud.** No user action regarding updates is explicitly stated as applicable, suggesting remediation was server-side by Ruijie, but verification with the vendor is essential.
### Workarounds
- No specific workarounds were detailed in the context, as the vendor confirmed the fixes were deployed in the cloud infrastructure.
## Detection
- Indicators of Compromise: Unexpected MQTT messages or command execution logs on Reyee devices, configuration changes initiated from cloud services without administrator authorization.
- Detection methods and tools: Monitoring MQTT traffic for unusually formatted or unauthorized commands directed toward devices, and scrutinizing cloud management platform connection logs for anomalous activity related to authentication retrieval.
## References
- Vendor Advisories: CISA ICS Advisory ICSA-24-338-01
- Relevant links - defanged:
- claroty.com/team82/research/the-insecure-iot-cloud-strikes-again-rce-on-ruijie-cloud-connected-devices
- thehackernews.uk/icsa-24-338-01