CVE-2024-4815
📋 TL;DR
This critical vulnerability in Ruijie RG-UAC Unified Internet Behavior Management Audit System allows remote attackers to execute arbitrary operating system commands via command injection in the filename parameter of /view/bugSolve/viewData/detail.php. Organizations using Ruijie RG-UAC systems up to version 20240506 are affected, potentially enabling complete system compromise.
💻 Affected Systems
- Ruijie RG-UAC Unified Internet Behavior Management Audit System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining root/administrator privileges, installing persistent backdoors, stealing sensitive data, and pivoting to other network systems.
Likely Case
Remote code execution leading to data exfiltration, installation of cryptocurrency miners or ransomware, and creation of backdoors for persistent access.
If Mitigated
Limited impact with proper network segmentation, web application firewalls, and strict input validation preventing successful exploitation.
🎯 Exploit Status
Exploit details have been publicly disclosed on GitHub, making weaponization highly probable. The attack can be launched remotely without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available - vendor did not respond to disclosure
Restart Required: No
Instructions:
1. Contact Ruijie Networks for official patch or updated firmware. 2. If patch is available, download from official vendor portal. 3. Backup configuration. 4. Apply update following vendor instructions. 5. Verify fix implementation.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock or sanitize requests to the vulnerable endpoint with pattern matching for command injection attempts
WAF specific - configure rule to block requests containing suspicious characters (;, |, &, $, `) in filename parameter
Network Access Control
linuxRestrict access to the vulnerable endpoint using network controls
iptables -A INPUT -p tcp --dport 80 -m string --string "/view/bugSolve/viewData/detail.php" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/view/bugSolve/viewData/detail.php" --algo bm -j DROP
🧯 If You Can't Patch
- Isolate the Ruijie RG-UAC system in a dedicated network segment with strict firewall rules limiting inbound/outbound traffic
- Implement network-based intrusion detection/prevention systems to monitor for exploitation attempts and block malicious traffic
🔍 How to Verify
Check if Vulnerable:
Check if the system responds to requests to /view/bugSolve/viewData/detail.php with filename parameter containing test payloads (non-destructive like 'id' or 'whoami' with proper escaping)Check Version:
Check web interface or system administration panel for firmware version, or use: curl -k https://[IP]/version_endpoint (if available)Verify Fix Applied:
Test if command injection attempts no longer execute and return error messages instead of command output📡 Detection & Monitoring
Log Indicators:
- Unusual POST/GET requests to /view/bugSolve/viewData/detail.php with special characters in parameters
- System logs showing unexpected command execution or process creation
- Web server logs with command injection patterns (;, |, &, $, `, >, <) in filename parameter
Network Indicators:
- HTTP requests containing OS command strings in URL parameters
- Unusual outbound connections from the Ruijie appliance to external IPs
- Traffic patterns indicating data exfiltration
SIEM Query:
source="web_logs" AND uri="/view/bugSolve/viewData/detail.php" AND (param="*;*" OR param="*|*" OR param="*&*" OR param="*`*" OR param="*$(*")🔗 References
- https://github.com/h0e4a0r1t/I_L-HxK-pF-uZ1-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-view_bugSolve_viewData_detail.php.pdf
- https://vuldb.com/?ctiid.263936
- https://vuldb.com/?id.263936
- https://vuldb.com/?submit.329966
- https://github.com/h0e4a0r1t/I_L-HxK-pF-uZ1-/blob/main/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-view_bugSolve_viewData_detail.php.pdf
- https://vuldb.com/?ctiid.263936
- https://vuldb.com/?id.263936
- https://vuldb.com/?submit.329966
