CVE-2024-5336
📋 TL;DR
This CVE describes a critical OS command injection vulnerability in Ruijie RG-UAC Unified Internet Behavior Management Audit System. Attackers can remotely execute arbitrary commands on affected devices by manipulating the 'phyport' parameter in the VLAN configuration function. Organizations using Ruijie RG-UAC devices up to version 20240516 are affected.
💻 Affected Systems
- Ruijie RG-UAC Unified Internet Behavior Management Audit System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with system privileges, potentially leading to complete device takeover, data exfiltration, or lateral movement into internal networks.
Likely Case
Remote code execution allowing attackers to install malware, create backdoors, disrupt network operations, or use the device as a pivot point for further attacks.
If Mitigated
Limited impact if proper network segmentation, input validation, and command execution restrictions are in place, though the vulnerability still exists.
🎯 Exploit Status
Exploit details have been publicly disclosed in GitHub repositories. The vulnerability requires no authentication and has simple exploitation vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
1. Contact Ruijie Networks for patch availability
2. If patch is available, download from official vendor portal
3. Apply patch following vendor instructions
4. Verify patch application
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict access to the web management interface to trusted IP addresses only
iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disable Vulnerable Function
linuxRemove or disable the vulnerable PHP file if VLAN configuration is not required
mv /view/networkConfig/vlan/vlan_add_commit.php /view/networkConfig/vlan/vlan_add_commit.php.disabled
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Ruijie devices from critical systems
- Deploy web application firewall (WAF) rules to block command injection patterns targeting the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check if the file /view/networkConfig/vlan/vlan_add_commit.php exists and if the system version is 20240516 or earlierCheck Version:
Check device web interface or console for firmware version informationVerify Fix Applied:
Verify the vulnerable file has been removed/disabled or that the system version is newer than 20240516📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /view/networkConfig/vlan/vlan_add_commit.php with shell metacharacters in parameters
- System logs showing unexpected command execution
- Failed authentication attempts followed by exploitation attempts
Network Indicators:
- HTTP requests containing shell commands (;, |, &, $, etc.) in URL parameters
- Outbound connections from Ruijie devices to unexpected destinations
SIEM Query:
source="ruijie_web_logs" AND uri="/view/networkConfig/vlan/vlan_add_commit.php" AND (param="phyport" AND value MATCHES "[;&|$`]+")🔗 References
- https://github.com/h0e4a0r1t/h0e4a0r1t.github.io/blob/master/2024/z%7CYVDv%7CHKA)*%5CdK!/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-vlan%3Avlan_add_commit.php.pdf
- https://vuldb.com/?ctiid.266242
- https://vuldb.com/?id.266242
- https://vuldb.com/?submit.336031
- https://github.com/h0e4a0r1t/h0e4a0r1t.github.io/blob/master/2024/z%7CYVDv%7CHKA)*%5CdK!/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-vlan%3Avlan_add_commit.php.pdf
- https://vuldb.com/?ctiid.266242
- https://vuldb.com/?id.266242
- https://vuldb.com/?submit.336031
