Cybersecurity researchers have identified three critical vulnerabilities in Planet Technology’s WGS-804HPT industrial switches, which are widely used in building and home automation systems for various networking applications. If exploited, these vulnerabilities can enable attackers to achieve pre-authentication remote code execution (RCE) and compromise internal networks.
Overview of the Vulnerabilities
The flaws, disclosed by Claroty’s Tomer Goldschmidt, highlight significant risks associated with the affected devices. “An attacker who gains remote control of one of these devices can leverage it to exploit other systems within the internal network and facilitate lateral movement,” Goldschmidt explained in a recent report. These switches are integral to many automation systems, underscoring the severity of the threat they pose.
Claroty, a firm specializing in operational technology (OT) security, conducted an in-depth analysis of the firmware used in these switches utilizing the QEMU framework. The investigation revealed that the vulnerabilities stem from the dispatcher.cgi interface, which provides a web service for the devices. The identified vulnerabilities are as follows:
- CVE-2024-52558: An integer underflow flaw (CVSS score: 5.3) that allows an unauthenticated attacker to send a malformed HTTP request, causing the device to crash.
- CVE-2024-52320: An operating system command injection flaw (CVSS score: 9.8) that enables an unauthenticated attacker to execute arbitrary commands via a crafted HTTP request, potentially resulting in remote code execution.
- CVE-2024-48871: A stack-based buffer overflow vulnerability (CVSS score: 9.8) that can be exploited by sending a malicious HTTP request, also leading to remote code execution.
Exploitation and Impact
Successful exploitation of these flaws allows an attacker to hijack the execution flow by embedding shellcode within an HTTP request. This provides them with the capability to execute operating system commands on the affected devices. Such access can be leveraged to gain further control over the network, potentially compromising other connected systems and critical infrastructure.
The vulnerabilities are particularly alarming due to their presence in a pre-authentication context. This means attackers do not need valid credentials to exploit the flaws, significantly increasing the likelihood of successful attacks. Moreover, the high CVSS scores of CVE-2024-52320 and CVE-2024-48871 emphasize their critical nature, requiring immediate attention from affected organizations.
Technical Details
The vulnerabilities are embedded in the dispatcher.cgi interface, which acts as a key component for the switch’s web-based management services. Here’s a breakdown of how each flaw works:
- CVE-2024-52558: This integer underflow vulnerability occurs when a malformed HTTP request is processed, leading to an arithmetic error. This causes the device to crash, potentially opening a denial-of-service (DoS) attack vector.
- CVE-2024-52320: This command injection flaw allows attackers to include malicious payloads in HTTP requests. These payloads can execute system commands without requiring authentication, giving attackers complete control over the device.
- CVE-2024-48871: The stack-based buffer overflow is triggered when an HTTP request exceeds the allocated memory buffer. This overflow overwrites memory, enabling attackers to inject and execute shellcode, leading to RCE.
Mitigation and Response
Following responsible disclosure of the vulnerabilities, Planet Technology, a Taiwanese company specializing in industrial and networking solutions, has released firmware updates to address the flaws. Organizations using WGS-804HPT switches are strongly advised to apply these updates immediately to mitigate the risks.
For users unable to deploy the updates promptly, it is recommended to implement the following measures to reduce exposure:
- Restrict network access to the switches by implementing firewalls and access control lists (ACLs).
- Disable unnecessary services and features on the devices to minimize potential attack vectors.
- Monitor network traffic for suspicious activity, particularly unusual HTTP requests targeting the dispatcher.cgi interface.
- Use virtual LANs (VLANs) to segment networks and isolate critical systems from vulnerable devices.
Broader Implications
The discovery of these vulnerabilities raises concerns about the security of industrial IoT and OT devices. As automation systems become increasingly interconnected, the attack surface expands, providing more opportunities for threat actors to exploit weaknesses. Vulnerabilities in widely used devices such as the WGS-804HPT switches can have far-reaching consequences, including disruption of critical infrastructure, data breaches, and financial losses.
This case underscores the importance of adopting a proactive approach to cybersecurity, particularly in OT environments. Regular security assessments, timely patch management, and robust network segmentation are essential to safeguarding such systems.
Conclusion
The critical flaws in Planet Technology’s WGS-804HPT switches highlight the urgent need for enhanced security measures in industrial and home automation systems. Organizations using these devices must act swiftly to address the vulnerabilities by applying the available patches and implementing additional security controls. As attackers continue to target IoT and OT devices, ensuring the security of these systems will be crucial to protecting networks and preventing exploitation.
By prioritizing cybersecurity, organizations can mitigate risks and safeguard their operations against emerging threats.
