Vulnerabilities in industrial switches uncovered by Claroty

Today

Claroty's research team has identified three vulnerabilities in Planet Technology's WGS-804HPT Industrial switches, which play a significant role in building and home automation systems.

These vulnerabilities, according to the research, permit attackers to remotely execute code on compromised devices, posing a risk of lateral movement across networks. The team employed QEMU, an open-source emulation platform, to emulate the switches' system components and simulate attacks, successfully uncovering these vulnerabilities.

Tomer Goldschmidt from Team82 elaborated on the process, stating, "Emulators such as the open-source, cross-platform QEMU framework are invaluable tools for researchers conducting vulnerability research. QEMU and other emulators act as great testing environments where software and firmware can be analysed for exploitable vulnerabilities. They can also be taken a step further for testing exploits within a safe space." The statement underscores the importance of emulators, especially when physical access to the device is not possible.

The vulnerabilities identified include a buffer overflow, an integer overflow, and an OS command injection flaw. Claroty's researchers were able to devise an exploit that leverages these flaws to remotely execute code on the device. These industrial switches are frequently utilised for networking applications such as Internet Protocol (IP) surveillance and wireless local area networks (LANs).

Goldschmidt explained the methodology of the research, "For Team82, QEMU and other emulation platforms are center stage in much of our research, in particular where it may be difficult to obtain an actual target device. In this blog, we will explain how we used QEMU to emulate the relevant system components of Planet Technology Corp's WGS-804HPT Industrial switch, and how it was used to uncover three vulnerabilities that could allow an attacker to remotely execute code on a vulnerable device."

Planet Technology's WGS-804HPT industrial switch facilitates connectivity in IoT devices, IP surveillance cameras, and wireless LAN network applications. A significant focus of the research was the management interface operable via a web browser, considered a primary exposure point to network threats.

Claroty disclosed these vulnerabilities to Planet Technology privately, prompting the Taiwan-based company to address the security issues. The company has recommended that users upgrade their firmware to version 1.305b241111 to mitigate these issues.

Reflecting on the significance of the research, Goldschmidt stated, "QEMU was essential to our success in finding the three vulnerabilities in the Planet Technology industrial switch. We were able to emulate critical components of the device, understand where vulnerabilities may be uncovered, and managed to develop PoC exploits to present probable impact to the device."

This investigation highlights the continuous need for rigorous testing of industrial devices to ensure system integrity and protection against potential cyber threats. Claroty's findings emphasise the importance of timely firmware updates as a preventive measure for maintaining network security.

Share on: