CVE-2023-3306 – This critical vulnerability in Ruijie RG-EW1200... (How to Fix)

Q: What is the severity of CVE-2023-3306?

CVE-2023-3306 has a CVSS score of 7.3 (HIGH). This critical vulnerability in Ruijie RG-EW1200G wireless access points allows remote attackers to bypass authentication and gain administrative access due to improper access controls in the Admin Password Handler component. It affects systems running EW_3.0(1)B11P204 firmware. Attackers can exploit this remotely without authentication to take full control of affected devices.

📋 TL;DR

This critical vulnerability in Ruijie RG-EW1200G wireless access points allows remote attackers to bypass authentication and gain administrative access due to improper access controls in the Admin Password Handler component. It affects systems running EW_3.0(1)B11P204 firmware. Attackers can exploit this remotely without authentication to take full control of affected devices.

💻 Affected Systems

Products:

Ruijie RG-EW1200G

Versions: EW_3.0(1)B11P204

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running the affected firmware version are vulnerable by default. The vulnerability is in the web management interface component.

📦 What is this software?

Rg Ew1200g Firmware by Ruijie

View all CVEs affecting Rg Ew1200g Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the wireless access point allowing attackers to reconfigure network settings, intercept traffic, deploy malware to connected devices, or use the device as a pivot point into the internal network.

🟠

Likely Case

Unauthorized administrative access leading to network configuration changes, traffic monitoring, and potential lateral movement to other network devices.

🟢

If Mitigated

Limited impact if device is isolated in a segmented network with strict firewall rules and monitoring, though administrative control would still be lost.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely, making internet-facing devices immediately vulnerable to attack.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated access, making all affected devices vulnerable to internal threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on GitHub, making this easily weaponizable. The vulnerability requires no authentication and has simple exploitation steps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available - vendor did not respond to disclosure

Restart Required: No

Instructions:

No official patch available. Monitor Ruijie's official website for firmware updates addressing CVE-2023-3306.

🔧 Temporary Workarounds

Network Segmentation and Access Control

all

Isolate affected devices in a separate VLAN with strict firewall rules preventing external access to the management interface.

Management Interface Restriction

all

Configure firewall rules to only allow management interface access from specific trusted IP addresses.

🧯 If You Can't Patch

Immediately remove affected devices from internet-facing positions and place behind firewalls with strict access controls.
Implement network monitoring and intrusion detection specifically watching for unauthorized access attempts to the device management interface.

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or CLI. If version is EW_3.0(1)B11P204, the device is vulnerable.

Check Version:

Login to device web interface and check System Information, or use CLI command: show version

Verify Fix Applied:

Check if firmware has been updated to a version newer than EW_3.0(1)B11P204. Test authentication bypass using the public exploit to confirm fix.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to admin interface
Multiple failed login attempts followed by successful access without proper credentials
Configuration changes from unexpected IP addresses

Network Indicators:

Unusual HTTP requests to app.09df2a9e44ab48766f5f.js file
Traffic to management interface from unexpected sources
Administrative actions from non-authorized IPs

SIEM Query:

source="ruijie-firewall" AND (url="*app.09df2a9e44ab48766f5f.js*" OR (event_type="login" AND result="success" AND source_ip NOT IN authorized_ips))

📊 Metadata

CVE ID: CVE-2023-3306

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-284

Published: June 18, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/RCEraser/cve/blob/main/RG-EW1200G.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.231802 Third Party Advisory
https://vuldb.com/?id.231802 Third Party Advisory
https://github.com/RCEraser/cve/blob/main/RG-EW1200G.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.231802 Third Party Advisory
https://vuldb.com/?id.231802 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3306, you might also want to check these: