Cybersecurity researchers have discovered several security flaws in a cloud management platform developed by Ruijie Networks that could allow an attacker to take control of network devices.
“These vulnerabilities affect both the Reyee platform and Reyee OS networking devices,” Claroty researchers Noam Moshe and Tomer Goldschmidt said in a recent analysis. “These vulnerabilities, if exploited, could allow an attacker to execute code on any cloud device, giving them the ability to control tens of thousands of devices.”
An operational technology (OT) security company that conducted in-depth research into an Internet of Things (IoT) vendor said it not only discovered 10 flaws, but also developed an attack called “Open Sesame” that could be used to hack an access point in the immediate physical proximity through the cloud and gain unauthorized access to its network.
with 10 vulnerabilitiesthree of them are rated critical in terms of severity –
- CVE-2024-47547 (CVSS score 9.4) – Using a weak password recovery mechanism that makes the authentication mechanism vulnerable to brute force attacks
- CVE-2024-48874 (CVSS Score 9.8) – A server-side request forgery (SSRF) vulnerability that could be used to access internal services used by Ruijie and their internal cloud infrastructure via AWS Cloud Metadata Services
- CVE-2024-52324 (CVSS Score: 9.8) – Use of an inherently dangerous feature that could allow an attacker to send a malicious MQTT message that could cause devices to execute arbitrary operating system commands
Claroty’s research also revealed that it is easy to break MQTT authentication simply by knowing the device’s serial number (CVE-2024-45722, CVSS score: 7.5), then using access to Ruijie’s MQTT broker to obtain a complete list of all cloud-based serial numbers of connected devices .
“Using leaked serial numbers, we could generate valid authentication credentials for all cloud-connected devices,” the researchers said. “This meant we could perform a wide range of denial-of-service attacks, including disabling devices by authenticating on their behalf and even sending fabricated messages and events to the cloud; sending false data to users of these devices.”
Knowing the device’s serial number could additionally be used to access all MQTT message queues and issue malicious commands that would then be executed on all cloud-connected devices (CVE-2024-52324).
That’s not all. An attacker who is physically close to a Wi-Fi network using Ruijie hotspots can also obtain the device’s serial number by intercepting raw Wi-Fi beacons and then exploit other vulnerabilities in MQTT communication to achieve remote code execution. The Open Sesame attack was assigned the CVE ID CVE-2024-47146 (CVSS Score: 7.5).
After responsible disclosure, all identified flaws have been fixed by the Chinese cloud company and no user action is required. An estimated 50,000 cloud-connected devices could be affected by these bugs.
“This is another example of weaknesses in so-called Internet of Things devices, such as wireless access points, routers and other connected things, which have a fairly low barrier to entry to the device, but allow much deeper network attacks,” the researchers said.
The disclosure comes as security system PCAutomotive identified 12 vulnerabilities in the MIB3 infotainment unit used in some Skoda cars, which attackers could link together to execute code, track cars’ real-time locations, record conversations through the car’s microphone, take screenshots infotainment screen and even steal contact information.
The vulnerabilities (CVE-2023-28902 through CVE-2023-29113) allow attackers to “execute code on the MIB3 infotainment unit via Bluetooth, elevate privileges to root, bypass secure boot for persistent code execution, and control the infotainment unit via DNS -channel every time the car is started,” PCAutomotive researchers said.
The opening complements nine other deficiencies (CVE-2023-28895 to CVE-2023-28901) identified in the infotainment MIB3 in late 2022 that could allow attackers to cause a denial of service, bypass UDS authentication, and obtain vehicle data, namely: mileage, the duration of the recent trip, as well as the average and max.=maximum speed of the trip — knowing only the VIN number of the vehicle.
