Open Sesame Attack: Ruijie Networks Devices Vulnerable to Remote Takeover
In a critical revelation highlighting the vulnerabilities of IoT ecosystems, Team82 has published a report detailing 10 security flaws in Ruijie Networks’ Reyee cloud management platform and its associated Reyee OS network devices. These vulnerabilities, if exploited, could grant attackers the ability to execute remote code on tens of thousands of cloud-connected devices, posing a severe risk to users globally.
Ruijie Networks, a prominent provider of networking infrastructure to enterprises, educational institutions, and governments across 90 countries, offers cloud-managed solutions for remote device configuration and monitoring. However, Team82’s research reveals that this connectivity is fraught with risks. As Team82 succinctly noted, “We indeed did find 10 vulnerabilities that if exploited could expose every Ruijie-connected device and pose devastating consequences for its users.”
Among the vulnerabilities, Team82 devised an effective attack named Open Sesame, allowing attackers in close physical proximity to a Ruijie Reyee OS device to sniff beacon messages and extract its serial number. Exploiting Ruijie’s MQTT communication protocol, attackers could impersonate the cloud and inject malicious OS commands into the device. This could lead to a reverse shell, giving the attacker full control of the access point and entry into its internal network.
The simplicity of the attack is alarming. “By simply being in close proximity to a Ruijie access point, and sniffing its raw beacon messages, an attacker could leak the device’s serial number,” Team82 stated. This serial number, used as a credential, opens the door to widespread exploitation.
Team82’s research underscores the broader issue of insecure IoT devices being managed through cloud platforms. These vulnerabilities enable attackers to breach devices without requiring local network access, effectively transforming the cloud into a gateway for malicious activity.
Key vulnerabilities include:
- CVE-2024-52324: Allowed execution of arbitrary OS commands on all cloud-connected devices.
- CVE-2024-47146: Leveraged leaked serial numbers to conduct targeted attacks, bypassing authentication mechanisms.
Ruijie Networks, in collaboration with Team82 and CISA, has addressed these vulnerabilities. Updates have been implemented in the cloud, requiring no user intervention. Team82 praised Ruijie and CISA for their swift cooperation, stating, “We would like to acknowledge Ruijie Networks and CISA for their cooperation in addressing these issues, which enhances the protection of the Reyee OS platform.”
The report not only exposes flaws in Ruijie’s devices but also serves as a stark reminder of the dangers posed by insecure IoT ecosystems. As Team82 pointed out, “This is another example of weaknesses in so-called internet-of-things devices such as wireless access points, routers, and other connected things that have a fairly low barrier to entry on to the device, yet enable much deeper network attacks.”
