Security researchers have discovered as many as ten security vulnerabilities in Chinese digital infrastructure maker Ruijie Networks’ devices. If exploited, these vulnerabilities let attackers remotely access these IoT devices that provide WiFi access in public areas like airports, schools, and shopping malls in over 90 countries with nothing more than a serial number in what they’re calling an “Open Sesame” attack.
Researchers Noam Moshe and Tomer Goldschmidt from Claroty Team82 discovered the vulnerabilities. They presented their findings in a presentation titled “The Insecure IoT Cloud Strikes Again: RCE on Ruijie Cloud-Connected Devices” at Black Hat Europe 2024 this week. Ruijie has patched all 10 CVEs mentioned in Claroty Team82’s report.
While all vulnerabilities pose serious threats to these devices, three stood out as critical bugs receiving a CVSS score of 9 or higher:
- CVE-2024-47547: This is a weak password recovery bug with a CVSS score of 9.4.
- CVE-2024-48874: This is a server-side request forgery vulnerability with a CVSS score of 9.8
- CVE-2024-52324: This is a bug caused by the use of an inherently dangerous function and has a 9.8 CVSS score.
As for the “Open Sesame” attack, the attacker needs to be near a WiFi network using Ruijie access points. Once the attacker captures raw beacons sent out by the targeted WiFi network containing the device’s serial number. From this point, using the serial number and vulnerabilities in Ruijie’s MQTT communication, the attacker can impersonate the cloud interface for remotely managing these devices and send a malicious message to the remote device. This message includes an OS command that opens a reverse shell on the targeted device, giving the attacker full access.
There are tens of thousands of vulnerable devices worldwide in active use. However, the researchers note that after Ruijie’s patch, the user is not required to act. The researchers also pointed out that taking over too many devices at once could alert the manufacturer, who might push a patch to fix the issue. Most attackers wouldn’t want that kind of attention, not to mention the risk of losing their attack vector.
In the News: Microsoft Recall feature fails to protect sensitive information