CVE-2024-41925

Summary

The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute remote code.

Affected Software

VendorProductVersion RangeStatus
Optigo NetworksONS-S8 Spectra Aggregation Switch0 <= 1.3.7affected

Weaknesses

  • CWE-98: CWE-98

Workarounds

Optigo Networks recommends users always use a unique management VLAN for the port on the ONS-S8 that is used to connect to OneView.

Optigo Networks also recommends users implement at least one of the following additional mitigations:

  • Use a dedicated NIC on the BMS computer and exclusively this computer for connecting to OneView to manage your OT network configuration.
  • Set up a router firewall with a white list for the devices permitted to access OneView.
  • Connect to OneView via secure VPN.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References