CVE-2024-4510
📋 TL;DR
This critical vulnerability in Ruijie RG-UAC Unified Internet Behavior Management Audit System allows remote attackers to execute arbitrary operating system commands via command injection in the arp_add_commit.php file. Attackers can exploit this by manipulating IP and MAC address parameters to gain unauthorized system access. Organizations using affected Ruijie RG-UAC versions are at risk.
💻 Affected Systems
- Ruijie RG-UAC Unified Internet Behavior Management Audit System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands, install malware, pivot to other systems, steal sensitive data, and maintain persistent access.
Likely Case
Remote code execution leading to system takeover, data exfiltration, and potential ransomware deployment or network disruption.
If Mitigated
Limited impact with proper network segmentation, web application firewalls, and input validation preventing successful exploitation.
🎯 Exploit Status
Exploit code is publicly available in GitHub repositories. The vulnerability can be exploited remotely without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Monitor Ruijie's official channels for security updates. Consider upgrading to versions after 20240428 if available.
🔧 Temporary Workarounds
Block Vulnerable Endpoint
allRestrict access to the vulnerable PHP file using web server configuration or network controls
# Apache: RewriteRule ^/view/networkConfig/ArpTable/arp_add_commit\.php$ - [F,L]
# Nginx: location ~ /view/networkConfig/ArpTable/arp_add_commit\.php$ { return 403; }
Implement WAF Rules
allDeploy web application firewall rules to detect and block command injection attempts
# ModSecurity rule: SecRule ARGS:text_ip_addr|ARGS:text_mac_addr "@rx [;&|`$()]" "id:1001,phase:2,deny,msg:'Command Injection Attempt'"
# Cloud WAF: Create rule blocking patterns like ;, |, &, `, $, (, ) in parameters
🧯 If You Can't Patch
- Isolate affected systems in a segmented network zone with strict egress filtering
- Implement network-based intrusion detection/prevention systems to monitor for exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check if the file /view/networkConfig/ArpTable/arp_add_commit.php exists and is accessible. Test with controlled command injection payloads in a safe environment.Check Version:
Check system version through web interface or administrative console. Ruijie devices typically display version in web UI or via SNMP.Verify Fix Applied:
Verify the vulnerable endpoint is no longer accessible or properly validates input. Test that command injection attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to arp_add_commit.php with shell metacharacters
- System logs showing unexpected command execution
- Web server logs with command injection patterns in parameters
Network Indicators:
- HTTP requests containing ;, |, &, `, $, (, ) in text_ip_addr or text_mac_addr parameters
- Outbound connections from Ruijie device to unexpected external IPs
SIEM Query:
source="web_server" AND uri="/view/networkConfig/ArpTable/arp_add_commit.php" AND (query="*;*" OR query="*|*" OR query="*&*" OR query="*`*" OR query="*$(*" OR query="*$)*")🔗 References
- https://github.com/h0e4a0r1t/-2x3J-1rPc-1-0-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-arp_add_commit.php.pdf
- https://vuldb.com/?ctiid.263114
- https://vuldb.com/?id.263114
- https://vuldb.com/?submit.323820
- https://github.com/h0e4a0r1t/-2x3J-1rPc-1-0-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-arp_add_commit.php.pdf
- https://vuldb.com/?ctiid.263114
- https://vuldb.com/?id.263114
- https://vuldb.com/?submit.323820
