CVE-2024-4813
📋 TL;DR
This critical vulnerability in Ruijie RG-UAC Unified Internet Behavior Management Audit System allows remote attackers to execute arbitrary operating system commands via command injection in the physical interface configuration component. Attackers can exploit this to gain unauthorized access, manipulate system settings, or deploy malware. All users of affected Ruijie RG-UAC versions are at risk.
💻 Affected Systems
- Ruijie RG-UAC Unified Internet Behavior Management Audit System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with system privileges, install persistent backdoors, exfiltrate sensitive data, pivot to internal networks, or disrupt network operations.
Likely Case
Unauthorized command execution leading to system configuration changes, credential theft, installation of cryptocurrency miners or other malware, and potential lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation, command execution restrictions, and monitoring in place, potentially resulting in failed exploitation attempts or contained damage.
🎯 Exploit Status
Exploit has been publicly disclosed and may be used. The vulnerability allows remote exploitation without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
Contact Ruijie vendor for patch information. Monitor vendor website for security updates. Consider upgrading to versions after 20240506 if available.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to the vulnerable interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP
File Access Control
linuxRemove or restrict access to the vulnerable PHP file
chmod 000 /view/networkConfig/physicalInterface/interface_commit.php
mv /view/networkConfig/physicalInterface/interface_commit.php /view/networkConfig/physicalInterface/interface_commit.php.disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from critical assets
- Deploy web application firewall (WAF) with command injection protection rules
🔍 How to Verify
Check if Vulnerable:
Check if system version is 20240506 or earlier. Test if /view/networkConfig/physicalInterface/interface_commit.php is accessible and accepts 'name' parameter.Check Version:
Check system web interface or administrative console for version informationVerify Fix Applied:
Verify system version is newer than 20240506. Test that command injection attempts via the 'name' parameter are blocked or sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /view/networkConfig/physicalInterface/interface_commit.php
- Command execution patterns in web server logs
- Suspicious system commands executed from web process
Network Indicators:
- Unusual outbound connections from Ruijie system
- Command and control traffic patterns
- Exploitation attempts to the vulnerable endpoint
SIEM Query:
source="web_server" AND uri="/view/networkConfig/physicalInterface/interface_commit.php" AND (param="name" AND value CONTAINS "|" OR value CONTAINS ";" OR value CONTAINS "`" OR value CONTAINS "$")🔗 References
- https://github.com/h0e4a0r1t/I_L-HxK-pF-uZ1-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-physicalInterface%3Ainterface_commit.php.pdf
- https://vuldb.com/?ctiid.263934
- https://vuldb.com/?id.263934
- https://vuldb.com/?submit.330020
- https://github.com/h0e4a0r1t/I_L-HxK-pF-uZ1-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-physicalInterface%3Ainterface_commit.php.pdf
- https://vuldb.com/?ctiid.263934
- https://vuldb.com/?id.263934
- https://vuldb.com/?submit.330020
