Penelope Iroko Table of Contents
Recent findings have revealed critical vulnerabilities in Ruijie Reyee devices, posing significant cybersecurity risks to tens of thousands of users globally.
Researchers from cybersecurity firm Claroty have identified flaws in Ruijie Networks’ Reyee cloud management platform and Reyee OS network appliances, which could allow attackers to take control of these devices.
These vulnerabilities highlight the urgent need for robust security measures in today’s connected world.
Key Takeaway to Critical Vulnerabilities in Ruijie Reyee:
- Attackers could exploit these flaws to disrupt services, steal sensitive data, and even gain unauthorized access to internal networks.
Breaking Down the Vulnerabilities
The Root of the Problem: MQTT Protocol Exploitation
Ruijie devices rely on the MQTT messaging protocol for communication. Claroty discovered that these devices authenticate to a broker using a username/password pair derived from the device’s serial number.
Here’s the catch: the serial number, which follows a predictable pattern, can be easily exploited.
| Authentication Method | Flaw Identified |
|---|---|
| Username: Device Serial Number | Predictable pattern makes it easy to guess. |
| Password: SHA256 of Reversed Serial | Weak encryption allows attackers to crack credentials. |
Using this loophole, researchers could impersonate devices, connect to Ruijie’s MQTT broker, and gain control over the cloud platform.
Serial Number Vulnerabilities
Once authenticated, attackers could retrieve a list of all connected devices’ serial numbers. This opens the door to:
- Denial-of-Service (DoS) Attacks: Disconnecting devices by authenticating on their behalf.
- Data Manipulation: Sending fabricated events and false data to cloud users.
- Mass Credential Generation: Exploiting the predictable serial number format to access multiple devices.
Remote Command Execution (RCE) Risks
Claroty’s research uncovered an even more alarming issue: Ruijie’s RCE-as-a-service mechanism. By impersonating the cloud, attackers could send OS-level commands to all devices.
This capability could enable unauthorized data extraction or system control on a massive scale.
Highlighting Specific Vulnerabilities
Claroty reported 10 vulnerabilities, with three categorized as critical:
| CVE ID | Description | CVSS Score |
| CVE-2024-47547 | Weak password recovery mechanism. | 9.4 |
| CVE-2024-48874 | Server-side request forgery (SSRF) bug. | 9.8 |
| CVE-2024-52324 | Dangerous function enabling arbitrary command execution. | 9.8 |
These flaws could lead to unauthorized access, data theft, and widespread device disruption.
The “Open Sesame” Attack Explained
In a method called “Open Sesame,” Claroty demonstrated how attackers could infiltrate Ruijie’s systems:
- Sniff Wi-Fi Signals: An attacker in proximity to a Ruijie access point captures raw beacon messages.
- Extract Serial Numbers: Using the beacon data, they extract the device’s serial number.
- Exploit MQTT Flaws: Attackers leverage the vulnerabilities to send malicious commands, gaining unauthorized network access.
This technique highlights the potential for devastating real-world impacts, such as compromising sensitive internal networks.
Real-Life Lessons: Similar Incidents in IoT Security
This discovery is reminiscent of past IoT-related vulnerabilities, like the 2016 Mirai botnet attack. That incident, which you can read about here, exploited weak device credentials to create a massive botnet, causing internet outages worldwide.
These examples underscore the critical need for securing IoT devices against predictable threats.
Ruijie’s Response and Fixes
According to Claroty, approximately 50,000 devices were initially impacted. However, Ruijie has since addressed the vulnerabilities by:
- Patching the Cloud Platform: Security defects have been resolved, ensuring no further exploitation.
- Reinforcing Credentials: Improved password mechanisms reduce predictability.
- User Notification: No additional action is required from users, as fixes were implemented on the cloud side.
While Ruijie’s swift response is commendable, this incident serves as a stark reminder for businesses to prioritize security in their connected systems.
About Ruijie Networks
Ruijie Networks is a leading provider of cloud-managed network solutions for small and medium-sized businesses (SMBs). Its flagship product, Reyee, delivers secure and scalable networking for industries ranging from retail to transportation.
Ruijie’s commitment to innovation underscores its role as a major player in global network technology.
Rounding Up
The discovery of critical vulnerabilities in Ruijie devices has shed light on the evolving risks of IoT and cloud-managed platforms.
While Ruijie has resolved the issues, the incident emphasizes the importance of proactive cybersecurity measures to safeguard sensitive data and infrastructure.
As businesses continue to adopt smart technologies, the lessons learned here can help prevent future security breaches.
FAQs
What are the key vulnerabilities found in Ruijie devices?
- Researchers identified flaws in authentication methods, RCE mechanisms, and MQTT protocol usage, which could allow attackers to gain control of devices.
How many devices were affected?
- Approximately 50,000 devices were initially impacted, but Ruijie has since resolved the issues.
What actions should Ruijie device users take?
- No user action is required, as Ruijie addressed the vulnerabilities on their cloud platform.
What is the “Open Sesame” attack?
- This attack method allows hackers to exploit Wi-Fi access points, extract serial numbers, and infiltrate internal networks.
How does this compare to past cybersecurity breaches?
- Similar to the Mirai botnet attack, this incident highlights the dangers of weak IoT security and predictable credentials.
