Full Report
New research from Claroty’s Team82 research arm uncovered three vulnerabilities in Hunting Planet WGS-804HPT industrial switch that could... The post Claroty’s Team82 exposes critical vulnerabilities in Hunting Planet WGS-804HPT industrial switch appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: Chained Flaws in Planet WGS-804HPT Industrial Switch Leading to RCE
## CVE Details
- CVE ID: *Not explicitly provided in the text, but related to three flaws.*
- CVSS Score: *Not explicitly provided in the text.*
- CWE: Buffer Overflow, Integer Overflow, OS Command Injection (Inferred from vulnerability types)
## Affected Systems
- Products: Hunting Planet WGS-804HPT industrial switch
- Versions: Prior to firmware version 1.305b241111
- Configurations: Devices exposing the web service management interface.
## Vulnerability Description
The Planet WGS-804HPT industrial switch contains three distinct vulnerabilities: buffer overflow, integer overflow, and an OS command injection flaw. These flaws exist within the web service, specifically targeting the dispatcher.cgi endpoint accessible by unauthenticated clients. The switch's executable lacks modern memory security mitigations like the NX bit, meaning the stack is executable. An attacker can chain these flaws to inject shellcode into a request cookie, redirect code execution to the stack, and execute arbitrary operating system commands remotely.
## Exploitation
- Status: Exploit developed (Proof of Concept available).
- Complexity: Low (due to lack of NX mitigation and stack executability).
- Attack Vector: Network (via the exposed web service).
## Impact
- Confidentiality: High (Remote code execution allows sensitive data access).
- Integrity: High (Remote code execution allows system modification).
- Availability: High (Remote code execution can lead to denial of service or instability).
## Remediation
### Patches
- Firmware version 1.305b241111 or later.
### Workarounds
- No specific workarounds detailed other than upgrading firmware. Limiting network access to the web management interface is an implied general network mitigation.
## Detection
- Detection methods hinge on monitoring unusual traffic patterns or known exploitation signatures targeting the web interface, particularly requests directed toward `dispatcher.cgi`.
- Indicators of compromise would include unexpected system behavior or outbound connections initiated by the switch, resulting from successful `execve` syscall execution via the injected shellcode.
## References
- Vendor advisory via Planet Technology (upon release of firmware 1.305b241111).
- Claroty Team82 Research Disclosure: claroty dot com/team82/research/hack-the-emulated-planet-vulnerability-hunting-planet-wgs-804hpt-industrial-switch