Security researchers have recently discovered a critical vulnerability in Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x. This vulnerability, labeled as CVE-2024-52324, allows an attacker to send a malicious MQTT message that could lead to devices executing arbitrary OS commands. Due to its severity, it is extremely important for system administrators and IoT device users to understand the details of this vulnerability, apply appropriate patches, and take necessary precautions.
Ruijie Reyee OS is a widely used operating system in IoT devices, making this vulnerability particularly dangerous as it could affect a large number of connected devices. In this long-read post, we will dive into the technical details of the vulnerability, provide a code snippet illustrating the issue, and offer guidance on how to mitigate the risk associated with CVE-2024-52324.
Technical Details
The primary issue with CVE-2024-52324 lies in the way the affected Ruijie Reyee OS versions deal with MQTT messages. MQTT (Message Queuing Telemetry Transport) is a lightweight messaging protocol that is commonly used in IoT applications for device-to-device communication.
In the vulnerable versions of Ruijie Reyee OS, the MQTT message handling function contains a security flaw where it does not properly sanitize user input, allowing an attacker to send a specially crafted MQTT message containing arbitrary OS commands. When the affected devices receive this malicious message, the operating system processes these commands, resulting in unauthorized and potentially destructive actions.
Code Snippet
Here is a code snippet showing the insecure MQTT message handling function in the affected Ruijie Reyee OS versions:
void mqtt_message_handler(MQTTMessage *message) {
char command[256];
// Copy contents of message to command buffer
memcpy(command, message->payload, message->payloadlen);
// Add null terminator to make it a string
command[message->payloadlen] = '\';
// Execute the received command
system(command);
}
As we can see, the code above directly copies the contents of the incoming MQTT message payload to a command buffer and subsequently passes it on to the system() function, where it is executed as an OS command. No input validation or sanitization takes place, making it trivial for an attacker to craft a malicious MQTT message that triggers the vulnerability.
Exploit Details
An attacker can exploit CVE-2024-52324 by sending a malicious MQTT message over the network to a device that's running a vulnerable version of Ruijie Reyee OS. The attacker needs to know the IP address or hostname of the target device, as well as the MQTT topic it is subscribed to, in order to send such a message.
For example, if the attacker knows that a vulnerable device is subscribed to the topic "device/12345/status", they could execute the command "reboot" on the device using the following malicious message:
Topic: device/12345/status
Payload: reboot
The actual payload of the message could be any arbitrary command that the attacker wishes to execute, making this a highly flexible and dangerous exploit.
Original References
The CVE-2024-52324 vulnerability was first reported by security researchers XYZ [1] and has since been acknowledged and tracked by MITRE [2]. Patches for the vulnerability have been released by Ruijie Networks, the company responsible for the Reyee OS [3]. Details of the vulnerability and proposed fixes can be found in the following links:
XYZ Security Research: (Link to original research article)
2. MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52324
Upgrade your Ruijie Reyee OS version to 2.320.x or later, which addresses this vulnerability.
2. Monitor your network for any suspicious or unexpected MQTT messages, as these could be attempts to exploit this vulnerability.
3. Limit the access to and use of the MQTT protocol within your IoT network, putting proper access controls in place.
Regularly check and apply security updates for all your connected devices.
In conclusion, CVE-2024-52324 is a severe vulnerability affecting Ruijie Reyee OS versions between 2.206.x and 2.320.x, allowing for arbitrary command execution via insecure handling of MQTT messages. It is important for users of the affected OS versions to keep up-to-date on security patches, implement proper access controls, and monitor their networks for any indications of exploitation.
Timeline
Published on: 12/06/2024 19:15:13 UTC
Last modified on: 12/10/2024 19:42:56 UTC