The Register: Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing

Source URL: https://www.theregister.com/2024/10/02/cisa_optigo_switch_flaws/
Source: The Register
Title: Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing

Feedly Summary: Poor use of PHP include() strikes again
Two trivial but critical security holes have been found in Optigo’s Spectra Aggregation Switch, and so far no patch is available.…

AI Summary and Description: Yes

Summary: The text highlights significant security vulnerabilities in Optigo’s Spectra Aggregation Switch, which can be exploited by remote attackers to infiltrate critical manufacturing networks. With vulnerabilities rated CVSS v4 9.3, the research underlines the urgency of securing these devices and the possible risks associated with unmitigated access.

Detailed Description: The text discusses two critical security vulnerabilities identified in Optigo’s Spectra Aggregation Switch, both with high CVSS v4 severity scores of 9.3. Here’s a breakdown of the major points:

– **Vulnerability Identification**:
– Two vulnerabilities have been revealed that allow remote attackers to potentially exploit the hardware.
– The software versions affected are 1.3.7 and earlier of the Spectra Aggregation Switch.

– **Nature of Vulnerabilities**:
– **CVE-2024-41925**: A PHP remote-file inclusion vulnerability affecting the switch’s web user interface. This flaw allows attackers to:
– Bypass authentication processes.
– Navigate directories and execute arbitrary code directly on the switch.
– **CVE-2024-45367**: An incomplete authentication process at the web server level, which enables:
– Remote unauthorized access without needing a password.

– **Accessibility Concerns**:
– Both vulnerabilities hinge on whether the device’s web interface is accessible from the public internet or unsecured internal networks.
– If the interface is exposed, it poses a significant risk of exploitation.

– **Recommendations for Mitigation**:
– Network architectures should be organized to restrict access to the web-based interface known as OneView.
– Designate a specific management machine with a dedicated network interface for direct connection to the Optigo device, ensuring only this system can interact with OneView.
– Limit OneView’s accessibility to secure VPNs to prevent unauthorized access.

– **Current Status**:
– No patches have been released yet, and Optigo has not responded to inquiries regarding this issue.
– Workarounds have been suggested to mitigate risks but need immediate implementation to secure affected networks.

– **Potential Consequences**:
– CISA warns that while there is no evidence of these vulnerabilities currently being exploited, the disclosure of the vulnerabilities raises the likelihood of imminent attempts to exploit them.

Overall, this information is critical for security professionals in various fields such as infrastructure security and information security, as it highlights vulnerabilities in widely-used networking hardware and emphasizes the importance of security measures in operational technology environments.