CVE-2024-4506
📋 TL;DR
This CVE describes a critical OS command injection vulnerability in Ruijie RG-UAC Unified Internet Behavior Management Audit System. Attackers can execute arbitrary commands remotely by manipulating parameters in the /view/IPV6/ipv6Addr/ip_addr_edit_commit.php file. Organizations using Ruijie RG-UAC systems up to version 20240428 are affected.
💻 Affected Systems
- Ruijie RG-UAC Unified Internet Behavior Management Audit System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with system privileges, potentially leading to data theft, lateral movement, or complete system takeover.
Likely Case
Remote code execution allowing attackers to install malware, create backdoors, or disrupt network operations.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and input validation are implemented.
🎯 Exploit Status
Public exploit code is available on GitHub, making this easily exploitable by attackers with basic skills.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available - vendor did not respond to disclosure
Restart Required: No
Instructions:
No official patch available. Monitor Ruijie's security advisories for updates. Consider workarounds or system replacement if no patch becomes available.
🔧 Temporary Workarounds
Block Access to Vulnerable Endpoint
allRestrict access to the vulnerable PHP file using web server configuration or network controls
# Apache: <Location "/view/IPV6/ipv6Addr/ip_addr_edit_commit.php">
# Order deny,allow
# Deny from all
# </Location>
# Nginx: location = /view/IPV6/ipv6Addr/ip_addr_edit_commit.php { deny all; }
Implement Web Application Firewall Rules
allAdd WAF rules to block command injection patterns in the affected parameters
# Example ModSecurity rule:
# SecRule ARGS:text_ip_addr "@rx [;&|`$()]" "id:1001,phase:2,deny,msg:'Command injection attempt'"
# Similar rules for orgprelen and orgname parameters
🧯 If You Can't Patch
- Isolate the Ruijie RG-UAC system in a dedicated network segment with strict firewall rules limiting inbound and outbound connections
- Implement network-based intrusion detection/prevention systems to monitor for command injection attempts and block malicious traffic
🔍 How to Verify
Check if Vulnerable:
Check if the system version is 20240428 or earlier and verify the existence of /view/IPV6/ipv6Addr/ip_addr_edit_commit.php fileCheck Version:
# Check system version through web interface or console
# Exact command varies by system configurationVerify Fix Applied:
Test if command injection is possible by attempting to inject basic commands (like 'id' or 'whoami') in the text_ip_addr, orgprelen, or orgname parameters📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /view/IPV6/ipv6Addr/ip_addr_edit_commit.php with shell metacharacters
- System logs showing unexpected command execution or process creation
- Web server logs containing command injection patterns in parameters
Network Indicators:
- Unusual outbound connections from the Ruijie system
- Traffic patterns suggesting command-and-control communication
- Unexpected network scans originating from the appliance
SIEM Query:
source="web_server" AND uri="/view/IPV6/ipv6Addr/ip_addr_edit_commit.php" AND (param="*[;&|`$()]*" OR param="*$(whoami)*" OR param="*$(id)*")🔗 References
- https://github.com/h0e4a0r1t/-2x3J-1rPc-1-0-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-ip_addr_edit_commit.php.pdf
- https://vuldb.com/?ctiid.263110
- https://vuldb.com/?id.263110
- https://vuldb.com/?submit.323816
- https://github.com/h0e4a0r1t/-2x3J-1rPc-1-0-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-ip_addr_edit_commit.php.pdf
- https://vuldb.com/?ctiid.263110
- https://vuldb.com/?id.263110
- https://vuldb.com/?submit.323816
