Two simple give-me-control security bugs found in Optigo network switches used in critical manufacturing

Two trivial but critical security holes have been found in Optigo's Spectra Aggregation Switch, and so far no patch is available.

The vulnerabilities, both with CVSS v4 severity scores of 9.3, can be abused by a remote attacker to inject malware into the OT network management switches if they are running version 1.3.7 and earlier.

According to the US government's Cybersecurity and Infrastructure Security Agency, aka CISA, on Tuesday Optigo's vulnerable switches can be easily compromised by an unauthenticated remote user.

The agency also said the networking gear can be found in critical manufacturing settings, though to be honest, the hardware can be used for wiring up the network of any small or large building.

The first flaw, CVE-2024-41925, is a PHP remote-file inclusion vulnerability affecting the web-based user interface for the switch. Once exploited, a remote attacker would be able to bypass authentication, move between directories on the equipment, and execute arbitrary code on the target. This also means the intruder needs to be able to reach the device's web interface to pull this off.

The second, CVE-2024-45367, is an incomplete authentication process at the web server level on the Canadian manufacturer's kit. A remote attacker could simply get in without needing to use a password, CISA warns.

Again, exploitation requires the miscreant to be able to reach the web interface. If that's accessible to the public internet somehow, that's not good; you need to cut off that access. If it's reachable from an internal network, you need to make sure whoever can reach that equipment is trusted and secure.

• 10 nasty software bugs put thousands of fuel storage tanks at risk of cyberattacks
• Ivanti patches exploited admin command execution flaw
• NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great
• Despite cyberattacks, water security standards remain a pipe dream

There are no patches yet. Optigo hasn't responded to questions on the matter, though the manufacturer has issued a series of workarounds that should mitigate the vulnerabilities. It recommends the following:

• Organize your network to restrict access to the web-based interface, known as OneView. In fact, the maker says this should be done as standard.
• Pick a machine to manage the switch and dedicate a network interface on that system to directly connect to the Optigo device, so that the only thing that can reach OneView is that management node. Then make sure that node isn't compromised.
• Make the OneView service accessible only via a secure VPN.

There are no signs that these vulnerabilities are being exploited at the moment, CISA said, though now the advisories are out, it could just be a matter of time before they are abused. The flaws were found and reported by the enterprise security shop Claroty's Team82, who had no comment at the time of publication. ®