Wednesday, December 18, 2024

CISA: Network switch RCE flaw impacts critical infrastructure

Must read

U.S. cybersecurity agency CISA is warning about two critical vulnerabilities that allow authentication bypass and remote code execution in Optigo Networks ONS-S8 Aggregation Switch products used in critical infrastructure.

The flaws concern weak authentication problems, allowing bypassing of password requirements, and user input validation issues potentially leading to remote code execution, arbitrary file uploads, and directory traversal.

The device is used in critical infrastructure and manufacturing units worldwide, and considering that the flaws are remotely exploitable with low attack complexity, the risk is deemed very high.

Currently, no fixes are available, so users are recommended to apply suggested mitigations proposed by the Canadian vendor.

The first flaw is tracked as CVE-2024-41925 and is classified as a PHP Remote File Inclusion (RFI) problem stemming from incorrect validation or sanitation of user-supplied file paths.

An attacker could use this vulnerability to perform directory traversal, bypass authentication, and execute arbitrary remote code.

The second issue, tracked as CVE-2024-45367, is a weak authentication problem arising from improper password verification enforcement on the authentication mechanism.

Exploiting this enables an attacker to gain unauthorized access to the switches’ management interface, alter configurations, access sensitive data, or pivot to other network points.

Both problems were discovered by Claroty Team82 and are rated as critical, with a CVSS v4 score of 9.3. The vulnerabilities impact all ONS-S8 Spectra Aggregation Switch versions up to and including 1.3.7.

Securing the switches

While CISA has not seen signs of these flaws being actively exploited, system administrators are recommended to perform the following actions to mitigate the flaws:

  1. Isolate ONS-S8 management traffic by placing it on a dedicated VLAN to separate it from normal network traffic and reduce exposure.
  2. Connect to OneView only through a dedicated NIC on the BMS computer to ensure secure and exclusive access for OT network management.
  3. Configure a router firewall to whitelist specific devices, limiting OneView access only to authorized systems and preventing unauthorized access.
  4. Use a secure VPN for all connections to OneView to ensure encrypted communication and protect against potential interception.
  5. Follow CISA’s cybersecurity guidance by performing risk assessments, implementing layered security (defense-in-depth), and adhering to best practices for ICS security.

CISA recommends that organizations observing suspicious activity on these devices follow their breach protocols and report the incident to the cybersecurity agency so that it can be tracked and correlated with other incidents.

Latest article