U.S. cybersecurity company CISA is warning about two important vulnerabilities that enable authentication bypass and distant code execution in Optigo Networks ONS-S8 Aggregation Change merchandise utilized in important infrastructure.
The issues concern weak authentication issues, permitting bypassing of password necessities, and consumer enter validation points probably resulting in distant code execution, arbitrary file uploads, and listing traversal.
The gadget is utilized in important infrastructure and manufacturing models worldwide, and contemplating that the failings are remotely exploitable with low assault complexity, the chance is deemed very excessive.
Presently, no fixes can be found, so customers are beneficial to use instructed mitigations proposed by the Canadian vendor.
The primary flaw is tracked as CVE-2024-41925 and is classed as a PHP Distant File Inclusion (RFI) drawback stemming from incorrect validation or sanitation of user-supplied file paths.
An attacker might use this vulnerability to carry out listing traversal, bypass authentication, and execute arbitrary distant code.
The second concern, tracked as CVE-2024-45367, is a weak authentication drawback arising from improper password verification enforcement on the authentication mechanism.
Exploiting this permits an attacker to achieve unauthorized entry to the switches’ administration interface, alter configurations, entry delicate information, or pivot to different community factors.
Each issues have been found by Claroty Team82 and are rated as important, with a CVSS v4 rating of 9.3. The vulnerabilities influence all ONS-S8 Spectra Aggregation Change variations as much as and together with 1.3.7.
Securing the switches
Whereas CISA has not seen indicators of those flaws being actively exploited, system directors are beneficial to carry out the next actions to mitigate the failings:
- Isolate ONS-S8 administration site visitors by inserting it on a devoted VLAN to separate it from regular community site visitors and scale back publicity.
- Hook up with OneView solely by way of a devoted NIC on the BMS laptop to make sure safe and unique entry for OT community administration.
- Configure a router firewall to whitelist particular gadgets, limiting OneView entry solely to licensed techniques and stopping unauthorized entry.
- Use a safe VPN for all connections to OneView to make sure encrypted communication and shield in opposition to potential interception.
- Comply with CISA’s cybersecurity steerage by performing threat assessments, implementing layered safety (defense-in-depth), and adhering to greatest practices for ICS safety.
CISA recommends that organizations observing suspicious exercise on these gadgets observe their breach protocols and report the incident to the cybersecurity company in order that it may be tracked and correlated with different incidents.
