External risk intelligence

Ruijie RG-EW Series Routers Remote Code Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2021-43163

This vulnerability affects routers, which are edge networking devices typically exposed directly to the public internet by design. The flaw exists in the router's web-based management interface, a component that is commonly accessible via the internet for administrative purposes.

Remote Code Execution

Ruijienetworks Reyeeos

1.55.1915_ew_3.0\(1\)b11p55 and earlier

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in certain Ruijie Networks routers, specifically within the ReyeeOS. This flaw allows for remote code execution, meaning an attacker could potentially take control of affected devices over the network without needing any prior access or credentials. The main concern at this time is to confirm whether this specific technology is in use within our environment and, if so, to what extent it may be exposed.

  • Flaw allows remote control of routers.
  • Routers are critical internet-facing devices.
  • Confirm exposure and relevance to operations.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to the router's web interface. This would target the `checkNet` function, potentially allowing the attacker to execute arbitrary code on the device. The vulnerability can lead to complete system compromise if exploited successfully.

  • Vulnerable by internet exposure.
  • Triggered via a web interface function.
  • Leads to remote code execution.

Live Threat

Current exploitation, exposure, and threat context

A Remote Code Execution vulnerability in Ruijie Networks RG-EW Series Routers, specifically within the `checkNet` function, could allow an unauthenticated attacker to execute arbitrary code remotely. This could affect the integrity and availability of the router's services and any data passing through it when its management interface is exposed to the network.

  • Router configurations and network traffic.
  • Via exposed web interface.
  • Service disruption and data interception.

Operational Fix

Recommended remediation, mitigation, and detection steps

Identifying and mitigating this critical vulnerability requires collaboration between infrastructure, network, and security teams. The first practical step is to inventory all deployed Ruijie RG-EW Series Routers, determine their exposure to the internet, assess business criticality, and confirm the specific firmware version in use. Once ownership is established, a risk-based remediation plan, considering maintenance windows and vendor coordination, should be developed.

  • Infrastructure and security teams own resolution.
  • Verify router inventory and firmware exposure.
  • Plan remediation considering vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is ReyeeOS and Ruijie RG-EW Series hardware?

ReyeeOS is the operating system powering Ruijie Networks' RG-EW series, a line of networking devices including the RG-EW1200 and RG-EW3200GX Pro. These products function as routers, serving as the central gateway for managing internet traffic and connectivity within homes or business networks.

What does CVE-2021-43163 mean for router security?

This vulnerability is classified as CWE-77, or Improper Neutralization of Special Elements used in a Command. In plain terms, the router fails to properly sanitize input before processing it. Because of this, an unauthenticated attacker can supply malicious commands to the device, leading to Remote Code Execution, where the router performs unauthorized actions dictated by the attacker.

How is the checkNet function triggered?

An attacker triggers the vulnerability by sending a specifically crafted request to the router's web-based management interface, targeting the checkNet function. It is important to note that the issue resides in how the system handles these requests; simply using the router for normal internet browsing or typical traffic routing does not trigger this flaw.

Why should I worry about internet-facing routers?

Halo Surface Signal indicates this vulnerability is highly relevant because it impacts edge networking hardware. Routers are frequently positioned at the perimeter to bridge internal networks with the public internet. If the management interface is accessible externally, the device faces a significant risk of unauthorized remote control.

Is my network affected by this Ruijie vulnerability?

To determine if you are at risk, first audit your inventory for Ruijie RG-EW series hardware and verify if they are running a version of ReyeeOS up to 1.55.1915/EW_3.0(1)B11P55. Identify which devices are exposed to the internet and coordinate with your networking team to confirm these firmware versions and establish a plan for updates or access restrictions.

References