Planet Technology’s WGS-804HPT Switches Vulnerable to Remote Code Execution
Cybersecurity experts have unveiled three critical vulnerabilities in Planet Technology’s WGS-804HPT industrial switches, which could be exploited to facilitate pre-authentication remote code execution. These switches are integral to numerous building and home automation systems, serving a variety of networking functions. Tomer Goldschmidt of Claroty highlighted the potential risk, noting that an attacker gaining remote control over such devices could leverage them to further compromise internal network devices, enabling lateral movement within the system.
The operational technology security firm conducted a rigorous analysis of the firmware utilized in these switches, employing the QEMU framework. The identified vulnerabilities stem from the dispatcher.cgi interface designed to offer web service functionality. The first vulnerability, identified as CVE-2024-52558, carries a CVSS score of 5.3 and involves an integer underflow flaw that permits an unauthenticated attacker to send a malformed HTTP request, leading to a system crash.
The second vulnerability, CVE-2024-52320, has a critical CVSS score of 9.8, resulting from a command injection flaw that enables an attacker to execute operating system commands via a malicious HTTP request. The third identified vulnerability, CVE-2024-48871, shares the same CVSS score and pertains to a stack-based buffer overflow flaw, allowing for remote code execution through similarly crafted HTTP requests.
Exploitation of these vulnerabilities could empower attackers to hijack the execution flow by embedding shellcode in the HTTP requests, ultimately granting them the capability to execute arbitrary operating system commands. Following a responsible disclosure process, Planet Technology has released patches addressing these vulnerabilities, with the latest version, 1.305b241111, deployed on November 15, 2024.
The implications of these vulnerabilities underscore the potential risks associated with widely used automation systems, particularly in environments where security may be lax. Businesses utilizing these switches should prioritize immediate patching and consider implementing robust network segmentation to mitigate the risk of lateral movement in the event of a compromise.
Given the nature of this vulnerability, relevant tactics identified from the MITRE ATT&CK framework include initial access through exploitation of public-facing applications, as well as privilege escalation that could allow attackers to extend their influence within the network. Organizations must remain vigilant, as the exploitation of these vulnerabilities presents serious threats not only to the devices themselves but to the broader security of internal networks.
As businesses continue to incorporate automation technologies, awareness and proactive management of these risks will be crucial in safeguarding sensitive operational data and maintaining control over crucial infrastructure components.
