Full Report
Cybersecurity researchers have disclosed three security flaws in Planet Technology's WGS-804HPT industrial switches that could be chained to achieve pre-authentication remote code execution on susceptible devices. "These switches are widely used in building and home automation systems for a variety of networking applications," Claroty's Tomer Goldschmidt said in a Thursday report. "An attacker
Analysis Summary
# Vulnerability: Remote Code Execution and Network Exploitation in Planet WGS-804HPT Industrial Switches
## CVE Details
- CVE ID: CVE-2024-52558, CVE-2024-52320, CVE-2024-48871
- CVSS Score:
- CVE-2024-52558: 5.3 (Medium)
- CVE-2024-52320: 9.8 (Critical)
- CVE-2024-48871: 9.8 (Critical)
- CWE: Not explicitly listed, but related to Command Injection (CWE-78) and Buffer Overflow (CWE-121)/Integer Underflow.
## Affected Systems
- Products: Planet Technology WGS-804HPT industrial switches.
- Versions: Prior to firmware version 1.305b241111.
- Configurations: Vulnerabilities are rooted in the `dispatcher.cgi` interface.
## Vulnerability Description
Three vulnerabilities, which can be chained to enable pre-authentication Remote Code Execution (RCE), exist in the firmware of Planet Technology WGS-804HPT industrial switches.
1. **CVE-2024-52558 (Integer Underflow):** Allows an unauthenticated attacker to generate a crash by sending a specifically malformed HTTP request.
2. **CVE-2024-52320 (OS Command Injection):** Allows an unauthenticated attacker to execute arbitrary OS commands via a malicious HTTP request.
3. **CVE-2024-48871 (Stack-based Buffer Overflow):** Allows an unauthenticated attacker to execute arbitrary OS commands via a malicious HTTP request.
Successful chaining allows an attacker to hijack the execution flow by embedding shellcode within an HTTP request, leading to arbitrary OS command execution. These devices are often used in building and home automation systems, enabling further lateral movement within internal networks.
## Exploitation
- Status: PoC available (Implied by research disclosure and chaining RCE).
- Complexity: Low (Pre-authentication)
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Gaining RCE likely leads to compromise of sensitive configuration/data)
- Integrity: High (Arbitrary code execution allows modification of device state/data)
- Availability: High (RCE, crashes via CVE-2024-52558 can lead to denial of service)
## Remediation
### Patches
- **Firmware Version 1.305b241111** (Released on November 15, 2024) addresses these security shortcomings.
### Workarounds
- No specific workarounds were detailed in the provided text, other than immediate patching if possible. Network segmentation and restricting external access to the web management interface (`dispatcher.cgi`) would serve as general mitigations.
## Detection
- **Indicators of Compromise (IOCs):** Malicious HTTP requests targeting the `dispatcher.cgi` interface containing unusually long payloads, shell command strings, or indicative shellcode patterns.
- **Detection Methods and Tools:** Network monitoring tools inspecting traffic directed to the management interface of the switches for suspicious HTTP requests. Firmware analysis tools can be used to confirm running versions.
## References
- Vendor Advisory: planet.com.tw/en/support/downloads?method=keyword&keyword=v1.305b241111
- Research/Disclosure: claroty.com/team82/research/hack-the-emulated-planet-vulnerability-hunting-planet-wgs-804hpt-industrial-switch (Defanged)