Pierluigi Paganini
January 20, 2025
The Planet WGS-804HPT industrial switch is used in building and home automation networks to provide connectivity of Internet of things (IoT) devices, IP surveillance cameras, and wireless LAN network applications. This switch family is equipped with a web service and SNMP management interface.
Claroty researchers disclosed three vulnerabilities in Planet WGS-804HPT industrial switches that could be chained to achieve pre-authentication remote code execution on vulnerable devices.
“The vulnerabilities include separate buffer and integer overflow vulnerabilities and an OS command injection flaw; we were able to develop an exploit that leverages these bugs and remotely runs code on the device.” reads the advisory published by Claroty. “An attacker who is able to remotely control one of these devices can use them to further exploit devices in an internal network and do lateral movement.”
The firmware analysis performed by the experts revealed vulnerabilities in the dispatcher.cgi interface of WGS-804HPT switches’ web service. Below are the vulnerabilities discovered by Claroty.
An attacker can exploit these vulnerabilities to hijack execution flow and run OS commands via shellcode in HTTP requests.
Successful exploitation of the flaws could permit an attacker to hijack the execution flow by embedding a shellcode in the HTTP request and gain the ability to execute operating system commands.
Planet Technology has released firmware version 1.305b241111 to address these issues.
The researchers pointed out that QEMU enabled them to emulate critical components, aiding in finding vulnerabilities, developing PoCs, and assessing the device’s potential impact.
“We privately disclosed these vulnerabilities to Taiwan-based Planet Technology, which addressed the security issues and advised users to upgrade firmware in the device to version 1.305b241111.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, IOT)
