Cybersecurity researchers have discovered several security flaws in the cloud management platform developed by Ruijie Networks that could permit an attacker to take control of the network appliances.
“These vulnerabilities affect both the Reyee platform, as well as Reyee OS network devices,” Claroty researchers Noam Moshe and Tomer Goldschmidt said in a recent analysis. “The vulnerabilities, if exploited, could allow a malicious attacker to execute code on any cloud-enabled device, giving them the ability to control tens of thousands of devices.”
The operational technology (OT) security company, which carried out in-depth research of the Internet of Things (IoT) vendor, said it not only identified 10 flaws but also devised an attack called “Open Sesame” that can be used to hack into an access point in close physical proximity over the cloud and gain unauthorized access to its network.
Of the 10 vulnerabilities, three of them are rated Critical in severity –
- CVE-2024-47547 (CVSS score of 9.4) – Use of a weak password recovery mechanism that leaves the authentication mechanism vulnerable to brute force attacks
- CVE-2024-48874 (CVSS score of 9.8) – A server-side request forgery (SSRF) vulnerability that could be exploited to access internal services used by Ruijie and their internal cloud infrastructure via AWS cloud metadata services
- CVE-2024-52324 (CVSS score: 9.8) – Use of an inherently dangerous function that could allow an attacker to send a malicious MQTT message which could result in devices executing arbitrary operating system commands
Claroty’s research also found that it’s easy to break MQTT authentication by simply knowing the device’s serial number (CVE-2024-45722, CVSS score: 7.5), subsequently exploiting the access to Ruijie’s MQTT broker in order to receive a full list of all cloud-connected devices’ serial numbers.
“Using the leaked serial numbers, we could generate valid authentication credentials for all cloud-connected devices,” the researchers said. “This meant that we could perform a wide range of denial-of-service attacks, including disconnecting devices by authenticating on their behalf, and even sending fabricated messages and events to the cloud; sending false data to users of these devices.”
The knowledge of the device serial number could further be weaponized to access all MQTT message queues and issue malicious commands that would then get executed on all cloud connected devices (CVE-2024-52324).
That’s not all. An attacker who is physically adjacent to a Wi-Fi network that uses Ruijie access points could also extract the device’s serial number by intercepting the raw Wi-Fi beacons, and then leverage the other vulnerabilities in MQTT communication to achieve remote code execution. The Open Sesame attack has been assigned the CVE identifier CVE-2024-47146 (CVSS score: 7.5).
Following responsible disclosure, all the identified shortcomings have been fixed by the Chinese company in the cloud and no user action is required. About 50,000 cloud connected devices are estimated to have been potentially impacted by these bugs.
“This is another example of weaknesses in so-called internet-of-things devices such as wireless access points, routers, and other connected things that have a fairly low barrier to entry on to the device, yet enable much deeper network attacks,” the researchers said.
The disclosure comes as security form PCAutomotive flagged 12 vulnerabilities in the MIB3 infotainment unit used in certain Skoda cars that malicious actors could chain together to achieve code execution, track the cars’ location in real-time, record conversations via the in-car microphone, take screenshots of the infotainment display, and even exfiltrate contact information.
The flaws (from CVE-2023-28902 through CVE-2023-29113) permit attackers to “gain code execution on the MIB3 infotainment unit over Bluetooth, elevate privileges to root, bypass secure boot to gain persistent code execution, and control infotainment unit via DNS channel every time the car starts,” PCAutomotive researchers said.
The discovery adds to nine other flaws (from CVE-2023-28895 through CVE-2023-28901) identified in the MIB3 infotainment unit in late 2022 that could allow attackers to trigger a denial-of-service, bypass UDS authentication, and obtain vehicle data — namely, mileage, recent trip duration, and average and max.=imum speed of the trip — by knowing only VIN number of a vehicle.