CVE-2024-6187
📋 TL;DR
This critical vulnerability in Ruijie RG-UAC 1.0 allows remote attackers to execute arbitrary operating system commands through command injection in the /view/vpn/autovpn/sub_commit.php file. Attackers can exploit this to gain unauthorized access and control over affected devices. Organizations using Ruijie RG-UAC 1.0 are at risk.
💻 Affected Systems
- Ruijie RG-UAC
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to install malware, steal sensitive data, pivot to internal networks, and maintain persistent access.
Likely Case
Unauthorized command execution leading to data exfiltration, system manipulation, or deployment of ransomware.
If Mitigated
Limited impact with proper network segmentation, but potential for initial foothold in isolated segments.
🎯 Exploit Status
Exploit code is publicly available on GitHub; remote exploitation requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available; vendor did not respond to disclosure. Consider workarounds or replacement.
🔧 Temporary Workarounds
Block Access to Vulnerable Endpoint
linuxRestrict network access to /view/vpn/autovpn/sub_commit.php using firewall rules or web server configuration.
iptables -A INPUT -p tcp --dport 80 -m string --string "/view/vpn/autovpn/sub_commit.php" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/view/vpn/autovpn/sub_commit.php" --algo bm -j DROP
Input Validation Enhancement
allModify the PHP file to sanitize the 'key' parameter, rejecting shell metacharacters.
Edit /view/vpn/autovpn/sub_commit.php to add: $key = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['key']); before command execution.
🧯 If You Can't Patch
- Isolate the Ruijie RG-UAC device in a segmented network zone with strict firewall rules.
- Implement network-based intrusion detection to monitor for command injection attempts.
🔍 How to Verify
Check if Vulnerable:
Check if the file /view/vpn/autovpn/sub_commit.php exists and is accessible via HTTP/HTTPS; test with a safe payload like 'key=test;echo vulnerable'.Check Version:
Check device web interface or CLI for version information; typically via 'show version' or similar command.Verify Fix Applied:
After applying workarounds, attempt exploitation with the same payload; ensure no command execution occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /view/vpn/autovpn/sub_commit.php with shell metacharacters in parameters.
- System logs showing unexpected command executions or process spawns.
Network Indicators:
- HTTP traffic containing command injection patterns (e.g., semicolons, pipes, backticks) in POST data.
SIEM Query:
source="web_logs" AND uri="/view/vpn/autovpn/sub_commit.php" AND (data CONTAINS ";" OR data CONTAINS "|" OR data CONTAINS "`")🔗 References
- https://github.com/L1OudFd8cl09/CVE/blob/main/11_06_2024_d.md
- https://vuldb.com/?ctiid.269158
- https://vuldb.com/?id.269158
- https://vuldb.com/?submit.354125
- https://github.com/L1OudFd8cl09/CVE/blob/main/11_06_2024_d.md
- https://vuldb.com/?ctiid.269158
- https://vuldb.com/?id.269158
- https://vuldb.com/?submit.354125
