CVE-2019-16639
📋 TL;DR
This vulnerability allows attackers with web interface access to execute arbitrary TELNET commands and view admin passwords on Ruijie EG-2000 series gateways. It affects EG-2000SE devices running EG_RGOS 11.9 B11P1 firmware. The issue stems from an unprotected API endpoint that bypasses normal access controls.
💻 Affected Systems
- Ruijie EG-2000SE
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the gateway device, allowing attackers to reconfigure network settings, intercept traffic, pivot to internal networks, and maintain persistent access.
Likely Case
Attackers gain administrative access to the gateway, allowing them to view credentials, modify configurations, and potentially disrupt network services.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized web interface access.
🎯 Exploit Status
Exploitation requires web interface access but no authentication to the vulnerable API endpoint. Attackers can use simple HTTP requests with command injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check with Ruijie for updated firmware
Vendor Advisory: Not publicly available
Restart Required: Yes
Instructions:
1. Contact Ruijie support for patched firmware. 2. Backup current configuration. 3. Upload and install updated firmware. 4. Reboot device. 5. Restore configuration if needed.
🔧 Temporary Workarounds
Block newcli.php access
linuxUse firewall rules or web server configuration to block access to the vulnerable API endpoint
iptables -A INPUT -p tcp --dport 80 -m string --string "newcli.php" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "newcli.php" --algo bm -j DROP
Disable web interface if not needed
allTurn off the web management interface if console/CLI access is sufficient
configure terminal
no ip http server
no ip http secure-server
end
write memory
🧯 If You Can't Patch
- Implement strict network access controls to limit web interface access to trusted IPs only
- Monitor for suspicious HTTP requests to newcli.php endpoint and investigate any access attempts
🔍 How to Verify
Check if Vulnerable:
Test if HTTP GET request to /newcli.php?mode_url=exec&command=id returns system information without authenticationCheck Version:
show version | include EG_RGOSVerify Fix Applied:
Verify that the same request returns access denied or 404 error after patching📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'newcli.php' in URL
- Unusual TELNET or command execution from web interface IP
- Multiple failed authentication attempts followed by newcli.php access
Network Indicators:
- HTTP traffic to gateway containing 'mode_url=exec&command=' patterns
- Unexpected TELNET connections originating from gateway
SIEM Query:
source="gateway_logs" AND (url="*newcli.php*" OR http_uri="*newcli.php*")