CVE-2024-4504
📋 TL;DR
This critical vulnerability in Ruijie RG-UAC Unified Internet Behavior Management Audit System allows remote attackers to execute arbitrary operating system commands via command injection in the /view/HAconfig/baseConfig/commit.php file. Organizations using Ruijie RG-UAC systems up to version 20240428 are affected and should take immediate action.
💻 Affected Systems
- Ruijie RG-UAC Unified Internet Behavior Management Audit System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with system privileges, potentially leading to data theft, ransomware deployment, or complete system takeover.
Likely Case
Remote code execution enabling attackers to install backdoors, pivot to internal networks, or disrupt network operations.
If Mitigated
Limited impact if proper network segmentation and access controls prevent exploitation attempts.
🎯 Exploit Status
Public exploit details are available in GitHub repositories, making exploitation straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available - vendor did not respond to disclosure
Restart Required: No
Instructions:
No official patch available. Consider upgrading to latest version if available, or implement workarounds.
🔧 Temporary Workarounds
Block Access to Vulnerable Endpoint
linuxRestrict access to /view/HAconfig/baseConfig/commit.php using web application firewall or network controls
# Example iptables rule to block access to the vulnerable endpoint
# iptables -A INPUT -p tcp --dport 80 -m string --string "/view/HAconfig/baseConfig/commit.php" --algo bm -j DROP
Network Segmentation
allIsolate Ruijie RG-UAC systems from internet and restrict internal access
# Configure firewall rules to only allow necessary management access
# Example: iptables -A INPUT -s trusted_management_ip -p tcp --dport 80 -j ACCEPT
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Ruijie RG-UAC web interface
- Deploy web application firewall with command injection detection rules and monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if your Ruijie RG-UAC version is 20240428 or earlier by accessing the system's web interface and reviewing version informationCheck Version:
# Access the Ruijie RG-UAC web interface and navigate to system information or check via SSH if availableVerify Fix Applied:
Test if the /view/HAconfig/baseConfig/commit.php endpoint is accessible and if command injection attempts are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /view/HAconfig/baseConfig/commit.php
- Commands containing shell metacharacters in HTTP parameters
- Unexpected system processes spawned from web server
Network Indicators:
- HTTP requests with command injection payloads in peer_ip or local_ip parameters
- Outbound connections from Ruijie appliance to unexpected destinations
SIEM Query:
source="ruijie_web_logs" AND (uri="/view/HAconfig/baseConfig/commit.php" AND (param="peer_ip" OR param="local_ip") AND value MATCHES "[;&|`$()]"))🔗 References
- https://github.com/h0e4a0r1t/-2x3J-1rPc-1-0-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-view_HAconfig_baseConfig_commit.php.pdf
- https://vuldb.com/?ctiid.263108
- https://vuldb.com/?id.263108
- https://vuldb.com/?submit.323814
- https://github.com/h0e4a0r1t/-2x3J-1rPc-1-0-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-view_HAconfig_baseConfig_commit.php.pdf
- https://vuldb.com/?ctiid.263108
- https://vuldb.com/?id.263108
- https://vuldb.com/?submit.323814
