CVE-2024-4501
📋 TL;DR
This CVE describes a critical OS command injection vulnerability in Ruijie RG-UAC Unified Internet Behavior Management Audit System. Attackers can execute arbitrary commands remotely by manipulating the 'tcpDump' parameter in the /view/bugSolve/captureData/commit.php endpoint. Organizations using Ruijie RG-UAC systems up to version 20240428 are affected.
💻 Affected Systems
- Ruijie RG-UAC Unified Internet Behavior Management Audit System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with system privileges, potentially leading to data theft, lateral movement, or complete system takeover.
Likely Case
Remote code execution allowing attackers to install malware, create backdoors, or disrupt system operations.
If Mitigated
Limited impact if proper network segmentation, input validation, and least privilege principles are implemented.
🎯 Exploit Status
Exploit details have been publicly disclosed on GitHub, making weaponization likely. The vulnerability requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None provided - vendor did not respond to disclosure
Restart Required: No
Instructions:
No official patch available. Contact Ruijie support for updates. Consider workarounds or system replacement if no patch is forthcoming.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
linuxUse web application firewall or network filtering to block access to /view/bugSolve/captureData/commit.php
iptables -A INPUT -p tcp --dport 80 -m string --string "/view/bugSolve/captureData/commit.php" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/view/bugSolve/captureData/commit.php" --algo bm -j DROP
Input Validation Proxy
allDeploy a reverse proxy that validates and sanitizes the tcpDump parameter before forwarding to the application
🧯 If You Can't Patch
- Isolate the Ruijie RG-UAC system in a separate network segment with strict access controls
- Implement network monitoring and intrusion detection specifically for command injection patterns targeting this endpoint
🔍 How to Verify
Check if Vulnerable:
Check if the system version is 20240428 or earlier and if /view/bugSolve/captureData/commit.php is accessible. Test with controlled payloads in a non-production environment.Check Version:
Check system web interface or administrative console for version information. No standard CLI command provided by vendor.Verify Fix Applied:
Verify that command injection attempts no longer succeed and that the vulnerable endpoint is either patched or inaccessible.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /view/bugSolve/captureData/commit.php with shell metacharacters in parameters
- System logs showing unexpected command execution or process creation
Network Indicators:
- HTTP requests containing shell commands in the tcpDump parameter
- Outbound connections from the Ruijie system to unexpected destinations
SIEM Query:
source="web_logs" AND uri="/view/bugSolve/captureData/commit.php" AND (param="tcpDump" AND value MATCHES "[;&|`$()]+")🔗 References
- https://github.com/h0e4a0r1t/-2x3J-1rPc-1-0-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-view_bugSolve_captureData_commit.php.pdf
- https://vuldb.com/?ctiid.263105
- https://vuldb.com/?id.263105
- https://vuldb.com/?submit.323810
- https://github.com/h0e4a0r1t/-2x3J-1rPc-1-0-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-view_bugSolve_captureData_commit.php.pdf
- https://vuldb.com/?ctiid.263105
- https://vuldb.com/?id.263105
- https://vuldb.com/?submit.323810
