U.S. cybersecurity company CISA is warning about two vital vulnerabilities that permit authentication bypass and distant code execution in Optigo Networks ONS-S8 Aggregation Change merchandise utilized in vital infrastructure.
The issues concern weak authentication issues, permitting bypassing of password necessities, and person enter validation points doubtlessly resulting in distant code execution, arbitrary file uploads, and listing traversal.
The system is utilized in vital infrastructure and manufacturing items worldwide, and contemplating that the issues are remotely exploitable with low assault complexity, the danger is deemed very excessive.
At the moment, no fixes can be found, so customers are advisable to use instructed mitigations proposed by the Canadian vendor.
The primary flaw is tracked as CVE-2024-41925 and is classed as a PHP Distant File Inclusion (RFI) drawback stemming from incorrect validation or sanitation of user-supplied file paths.
An attacker might use this vulnerability to carry out listing traversal, bypass authentication, and execute arbitrary distant code.
The second situation, tracked as CVE-2024-45367, is a weak authentication drawback arising from improper password verification enforcement on the authentication mechanism.
Exploiting this permits an attacker to realize unauthorized entry to the switches’ administration interface, alter configurations, entry delicate knowledge, or pivot to different community factors.
Each issues had been found by Claroty Team82 and are rated as vital, with a CVSS v4 rating of 9.3. The vulnerabilities influence all ONS-S8 Spectra Aggregation Change variations as much as and together with 1.3.7.
Securing the switches
Whereas CISA has not seen indicators of those flaws being actively exploited, system directors are advisable to carry out the next actions to mitigate the issues:
- Isolate ONS-S8 administration site visitors by putting it on a devoted VLAN to separate it from regular community site visitors and cut back publicity.
- Connect with OneView solely via a devoted NIC on the BMS pc to make sure safe and unique entry for OT community administration.
- Configure a router firewall to whitelist particular units, limiting OneView entry solely to licensed methods and stopping unauthorized entry.
- Use a safe VPN for all connections to OneView to make sure encrypted communication and shield towards potential interception.
- Comply with CISA’s cybersecurity steering by performing threat assessments, implementing layered security (defense-in-depth), and adhering to greatest practices for ICS security.
CISA recommends that organizations observing suspicious exercise on these units comply with their breach protocols and report the incident to the cybersecurity company in order that it may be tracked and correlated with different incidents.
