CVE-2024-42494 Ruijie CVE debrief

Who should care

Organizations using Ruijie Reyee OS cloud-managed networking equipment, particularly those with multi-tenant or sub-account configurations.

Technical summary

A feature in Ruijie Reyee OS versions 2.206.x through 2.319.x could enable sub-accounts or attackers to view and exfiltrate sensitive information from all cloud accounts registered to Ruijie's services. The vulnerability requires high privileges (PR:H) but is exploitable over the network with low complexity. Ruijie has implemented cloud-side fixes, and no end-user action is required.

Defensive priority

medium

Recommended defensive actions

• Verify that deployed Ruijie Reyee OS instances are running version 2.320.x or later, or confirm with Ruijie that cloud-side mitigations are active for your environment.
• Review cloud account access logs for unauthorized data access or exfiltration activity during the exposure window.
• Audit sub-account permissions and remove unnecessary access to cloud management functions.
• Apply network segmentation to limit cloud management interface exposure to authorized administrative hosts only.
• Monitor for anomalous API calls or data retrieval patterns from Ruijie cloud services.

Evidence notes

The vulnerability affects Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x. The CVSS 3.1 vector is AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact.

Official resources