Compare Products

Hide

Clear All

VS

Home > Security Bulletins >Security Advisory about the Command Injection Vulnerability Involving the Eweb Management System

Security Advisory about the Command Injection Vulnerability Involving the Eweb Management System

Released on: May 24, 2023
Updated on: May 24, 2023

According to external reports, a command injection vulnerability exists on the Eweb management system of some Ruijie products. The details are as follows:

  1. 1.Description

Certain Eweb management systems are susceptible to remote code injection attacks. This allows unauthorized attackers to exploit this vulnerability to gain control over the device.

  1. 2.Source

This vulnerability was discovered in the test by Wang Jincheng from the X1cT34m team of Nanjing University of Posts and Telecommunications. Ruijie expresses gratitude for the attention of Wang Jincheng paid to Ruijie product security.

  1. 3.Affected Products and Versions

Involved product models and software versions include:

Model

Software Version

Reyee NBS3/5/6/7 Series

SWITCH_3.0(1)B11P219 and earlier versions, excluding R219.

Reyee EG Series

EG_3.0(1)B11P219 and earlier versions, excluding R219.

Reyee EAP/RAP/NBC Series

AP_3.0(1)B11P219 and earlier versions, excluding R219.

Reyee EW Series

EW_3.0(1)B11P219 and earlier versions, excluding R219.
  1. 4.Vulnerability Level

Vulnerabilities are scored base on the CVSS v3.1 scoring system. For details, see: https://www.first.org/cvss/v3.1/specification-document

CVSS3.1 base score: 9.8
CVSS v3.1 Vector: AV:AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

  1. 5.Workaround

N/A

  1. 6.Solution

Model

Software Version

Description

See Model in the Affected Products and Versions.

https://www.ruijienetworks.com/resources/products/?activeName=software

The latest version has been released on Ruijie Cloud and the official website. Please upgrade promptly.
  1. 7.Follow-up Improvement Plan

Ruijie is always customer-centric and protects the ultimate interests of users with best efforts. Ruijie adheres to the responsible disclosure of security incidents and handles product security issues through the product security incident response mechanism. Customers can access Ruijie product security information by visiting the Ruijie PSIRT website or promptly provide security information feedback through the following website: https://www.ruijienetworks.com/support/securityBulletins.

Ruijie will continue to monitor this vulnerability, and relevant investigations are still ongoing. If there is any progress, this security advisory will be updated at the first opportunity. Please pay attention to updates.

You can contact us through the following channels:

Support:https://www.ruijienetworks.com/support

Live Chat(English):https://networks.s5.udesk.cn/im_client/?web_plugin_id=1296&language=en-us

Live Chat(Español):https://networks.s5.udesk.cn/im_client/?web_plugin_id=1575&language=es

Community:https://community.ruijienetworks.com/portal.php

Hotline:

 

To report a security vulnerability in Ruijie products and solutions, please send it to PSIRT@ruijie.com.cn.

 

 

 

Ruijie Networks Co., Ltd.

May 22, 2023

Vulnerability Response Mechanism

Ruijie PSIRT addresses the reported potential vulnerabilities in accordance with the vulnerability handling process. Learn More

Vulnerability Reporting

Security vulnerability reporters can submit potential security vulnerabilities to Ruijie PSIRT mailbox. Learn More

Ruijie Networks websites use cookies to deliver and improve the website experience.

See our cookie policy for further details on how we use cookies and how to change your cookie settings.

Accept All

Manage Cookies

Cookie Manager

When you visit any website, the website will store or retrieve the information on your browser. This process is mostly in the form of cookies. Such information may involve your personal information, preferences or equipment, and is mainly used to enable the website to provide services in accordance with your expectations. Such information usually does not directly identify your personal information, but it can provide you with a more personalized network experience. We fully respect your privacy, so you can choose not to allow certain types of cookies. You only need to click on the names of different cookie categories to learn more and change the default settings. However, blocking certain types of cookies may affect your website experience and the services we can provide you.

  • Performance cookies

    Through this type of cookie, we can count website visits and traffic sources in order to evaluate and improve the performance of our website. This type of cookie can also help us understand the popularity of the page and the activity of visitors on the site. All information collected by such cookies will be aggregated to ensure the anonymity of the information. If you do not allow such cookies, we will have no way of knowing when you visited our website, and we will not be able to monitor website performance.

  • Essential cookies

    This type of cookie is necessary for the normal operation of the website and cannot be turned off in our system. Usually, they are only set for the actions you do, which are equivalent to service requests, such as setting your privacy preferences, logging in, or filling out forms. You can set your browser to block or remind you of such cookies, but certain functions of the website will not be available. Such cookies do not store any personally identifiable information.

Accept All

View Cookie Policy Details

Contact Us

Contact Us

How can we help you?

Contact Us

Get an Order help

Contact Us

Get a tech support