PLANET Technology Switches Face CVE-2024-8456 (CVSS 9.8), Urgent Firmware Updates Advised
The Taiwan Computer Emergency Response Team (TWCERT/CC) has released a series of security advisories highlighting critical vulnerabilities affecting various PLANET Technology switch models. These vulnerabilities range in severity, with potential impacts including remote code execution, unauthorized access, and denial of service.
Vulnerability Assessment
The identified vulnerabilities, assigned Common Vulnerabilities and Exposures (CVE) identifiers, span a spectrum of security weaknesses:
- Hard-Coded Credentials (CVE-2024-8448, CVE-2024-8449): Undocumented credentials embedded within the firmware, enabling unauthorized access and potential password recovery.
- Cleartext Password Storage (CVE-2024-8459): Unencrypted storage of sensitive credentials, facilitating unauthorized access.
- Cross-Site Request Forgery (CSRF) (CVE-2024-8458): Enables attackers to execute unauthorized actions on behalf of authenticated users.
- Cross-Site Scripting (XSS) (CVE-2024-8457): Injection of malicious scripts into web pages viewed by other users, potentially leading to data theft or session hijacking.
- Missing Authentication (CVE-2024-8456, CVSS 9.8): Absence of proper access controls, allowing unauthorized access to critical functionalities such as firmware upload and download.
- Weakly Encoded Passwords (CVE-2024-8455): Insecure password encoding, making them susceptible to cracking attempts.
- Insecure Hash Functions (CVE-2024-8452, CVE-2024-8453): Use of outdated hashing algorithms, compromising the security of stored credentials.
- Denial of Service (DoS) (CVE-2024-8454, CVE-2024-8451): Vulnerabilities that could be exploited to disrupt or render the devices unavailable.
Affected Products
The following PLANET Technology switch models are impacted:
- GS-4210-24PL4C (hardware 2.0)
- GS-4210-24P2S (hardware 3.0)
- IGS-5225-4UP1T2S (hardware 1.0) – End of Life
Mitigation
PLANET Technology has released firmware updates to address these vulnerabilities. Users are strongly advised to update their devices to the latest firmware versions:
- GS-4210-24PL4C (hardware 2.0): Version 2.305b240719 or later
- GS-4210-24P2S (hardware 3.0): Version 3.305b240802 or later
The IGS-5225-4UP1T2S has reached its End of Life and is no longer supported. Replacement is recommended.
Recommendations
Network administrators and users of PLANET Technology switches are advised to:
- Apply Updates Promptly: Implement the recommended firmware updates without delay.
- Monitor Network Activity: Employ robust network monitoring and intrusion detection systems to identify suspicious activity.
- Review Security Policies: Enforce strong password policies and access controls.
- Consider Replacement: Evaluate replacing end-of-life devices to ensure ongoing security and support.
