PatchSiren cyber security CVE debrief

CVE-2024-47791 Ruijie CVE debrief

CVE-2024-47791 is a medium-severity information disclosure vulnerability affecting Ruijie Reyee OS versions 2.206.x through 2.319.x. The flaw resides in the Ruijie MQTT broker implementation, where improper access controls allow an unauthenticated attacker to subscribe to partial MQTT topics and intercept messages transmitted between devices. Published by CISA on December 3, 2024, and subsequently updated on December 10, 2024, this advisory carries a CVSS 3.1 score of 5.9 (MEDIUM) with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The attack complexity is rated HIGH, reflecting that successful exploitation requires network access and specific conditions, though no user interaction or privileges are needed. The confidentiality impact is HIGH, while integrity and availability impacts are none. Ruijie has addressed this vulnerability through cloud-based fixes, requiring no end-user action for remediation. Organizations operating affected Reyee OS deployments should verify their systems are receiving cloud updates and monitor for any anomalous MQTT traffic patterns that could indicate attempted exploitation.

Vendor: Ruijie
Product: Reyee OS
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-12-03
Original CVE updated: 2024-12-10
Advisory published: 2024-12-03
Advisory updated: 2024-12-10

Who should care

Organizations deploying Ruijie Reyee OS-based networking equipment, particularly in industrial control system (ICS) or IoT environments where MQTT is used for device management and telemetry. Network administrators responsible for securing MQTT-based device communications, security teams monitoring IoT/OT networks for unauthorized data access, and compliance officers assessing information disclosure risks in connected device deployments should prioritize awareness of this vulnerability.

Technical summary

The vulnerability stems from insufficient topic-level access controls in the Ruijie MQTT broker implementation within Reyee OS. An attacker with network access can subscribe to partial topic hierarchies without authentication, enabling passive interception of device-to-device and device-to-cloud communications. The MQTT protocol's publish-subscribe architecture, when improperly secured, allows any client connecting to the broker to subscribe to topics matching wildcard patterns. In affected versions, the broker fails to enforce proper authorization checks on subscription requests, permitting unauthorized clients to receive messages intended for legitimate devices. The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N indicates network attack vector, high attack complexity, no required privileges or user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. The high attack complexity suggests that successful exploitation may require specific knowledge of topic naming conventions or network conditions. Ruijie's cloud-based remediation approach indicates the fix was implemented at the infrastructure level rather than requiring firmware updates on individual devices.

Defensive priority

medium

Recommended defensive actions

Verify that Ruijie Reyee OS devices are connected to cloud services and receiving automatic updates
Monitor network traffic for unauthorized MQTT subscription attempts to device topics
Review MQTT broker access logs for anomalous subscription patterns from unexpected sources
Ensure network segmentation limits MQTT broker exposure to untrusted networks
Apply additional network-level access controls to MQTT broker services where feasible

Evidence notes

CISA published advisory ICSA-24-338-01 on December 3, 2024, with Update A released December 10, 2024, adjusting CVSS scores. The vulnerability affects Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x. Ruijie reports cloud-based remediation with no end-user action required.

Official resources

2024-12-03