Cybersecurity researchers have discovered several security flaws in a cloud management platform developed by Ruijie Networks that could allow an attacker to take control of network devices.
“These vulnerabilities affect both the Reyee platform, as well as Reyee OS network devices,” Noam Moshe and Tomer Goldschmidt, researchers at Claroty, said in a recent analysis. “If exploited, the vulnerabilities could allow a malicious attacker to execute code on any cloud-enabled device, giving them the ability to control tens of thousands of devices.”
The operational technology (OT) security firm, which conducted in-depth research on the Internet of Things (IoT) vendor, said it not only identified 10 flaws, but also devised an attack called “Open Sesame” that could be used to compromise an access point in physical proximity via the cloud and gain access. Unauthorized access to its network.
Of the ten vulnerabilities, three are rated as critical in terms of severity –
CVE-2024-47547 (CVSS score 9.4) – Use of a weak password recovery mechanism which leaves the authentication mechanism vulnerable to brute force attacks CVE-2024-48874 (CVSS score 9.8) – Server-side request forgery (SSRF) vulnerability that can be exploited for access To the internal services used by Ruijie and its own internal cloud infrastructure via AWS Cloud Metadata Services CVE-2024-52324 (CVSS Score: 9.8) – Use of an inherently dangerous function that could allow an attacker to send a malicious MQTT message that could cause devices to execute arbitrary commands to the operating system
Claroty's research also found that it is easy to crack MQTT authentication by simply knowing the device's serial number (CVE-2024-45722, CVSS score: 7.5), then exploiting access to Ruijie's MQTT broker in order to obtain a complete list of all cloud software. Serial numbers of connected devices.
“Using the leaked serial numbers, we can generate valid authentication credentials for all devices connected to the cloud,” the researchers said. “This means we can perform a wide range of denial-of-service attacks, including disconnecting devices by authenticating on their behalf, even sending fabricated messages and events to the cloud, and sending false data to users of these devices.”
Knowledge of the device serial number can also be used to access all MQTT message queues and issue malicious commands that can then be executed on all devices connected to the cloud (CVE-2024-52324).
That's not all. An attacker physically adjacent to a Wi-Fi network using Ruijie access points could also extract the device's serial number by intercepting raw Wi-Fi signals, and then leverage other vulnerabilities in the MQTT connection to achieve remote code execution. The CVE ID for the Open Sesame attack has been assigned to CVE-2024-47146 (CVSS score: 7.5).
After responsible disclosure, the Chinese company has fixed all identified deficiencies in the cloud and no action is required on the part of the user. It is estimated that around 50,000 cloud-connected devices were affected by these bugs.
“This is another example of vulnerabilities in so-called Internet of Things devices like wireless access points, routers and other connected things that have a fairly low barrier to entry into the device, yet enable deeper attacks on the network.” The researchers said.
The revelation comes as security model PCAutomotive reported 12 vulnerabilities in the MIB3 infotainment module used in some Skoda cars that malicious actors could string together to achieve code execution, track the cars' location in real-time, and record conversations via an existing microphone. Inside the car. Take screenshots of the infotainment display, and even filter out contact information.
The flaws (CVE-2023-28902 to CVE-2023-29113) allow attackers to “obtain code execution on the MIB3 infotainment module via Bluetooth, elevate root privileges, and bypass secure boot to gain persistent code execution and take control of the infotainment module.” Entertainment via DNS channel every time the car starts, researchers at PCAutomotive said.
This discovery adds to nine other flaws (CVE-2023-28895 to CVE-2023-28901) identified in the MIB3 infotainment module in late 2022 that could allow attackers to initiate a denial of service, bypass UDS authentication, and obtain vehicle data. These are the distance traveled, the duration of the last trip, and the average and maximum = the maximum speed of the trip – by knowing the vehicle’s VIN number only.
