CVE-2023-30308

Vulnerability

Ruijie EG210G-P, EG105G-V2, NBR, and EG105G routers are affected by a vulnerability in their Network Address Translation (NAT) implementation. The routers employ a NAT port preservation strategy that, combined with insufficient reverse path validation and a disabled TCP window tracking strategy, allows an off-path attacker to infer the existence of TCP connections between a victim client on the local network and an external server, and subsequently hijack those sessions. The research [1] tested 67 routers from 30 vendors, finding 52 affected; the Ruijie models listed were identified as vulnerable.

Exploitation

The attacker must be on the same local network as the victim, with no access to the victim's or server's traffic (off-path position). The attack exploits the NAT port preservation strategy to detect active TCP connections. By sending forged TCP packets to the router, the attacker can evict the original NAT mapping and establish a new mapping, allowing interception of server packets and extraction of current TCP sequence and acknowledgment numbers. This enables session hijacking: the attacker can forcibly close the connection (DoS), poison plaintext traffic (e.g., inject fake HTTP responses), or reroute server packets to the attacker. The research [1] demonstrated successful attacks with average times of 17.5 seconds for SSH termination, 19.4 seconds for FTP file download, and 54.5 seconds for HTTP injection.

Impact

Successful exploitation allows the attacker to hijack TCP sessions, leading to denial of service (connection closure), manipulation of plaintext communications (traffic injection), or theft of in-transit data (via rerouting server responses). The impact is limited to TCP connections that are unencrypted or where the attacker can inject plaintext payloads; encrypted connections (e.g., HTTPS) may be terminated but not deciphered. The attacker operates from the same LAN and does not require authentication to the router.

Mitigation

Ruijie has not publicly released a firmware patch for the affected models as of the publication date. The NDSS paper [1] suggests mitigation strategies including randomizing NAT port assignment, enabling TCP window tracking, and implementing proper reverse path validation. Users should consider network segmentation, disabling unnecessary NAT services, or using VPNs to protect sensitive TCP connections until a vendor fix is available.