Critical flaws reported in Planet Technology's WGS-804HPT industrial switches

Researchers from Claroty have uncovered three security vulnerabilities in Planet Technology's WGS-804HPT industrial switches, which are commonly deployed in building and home automation systems. These flaws, when chained together, could allow an attacker to achieve remote code execution without authentication.

The vulnerabilities were discovered through extensive firmware analysis using the QEMU emulation framework, focusing on the dispatcher.cgi interface that provides web service functionality. The identified vulnerabilities are:

• CVE-2024-52558 (CVSS score: 5.3) - An integer underflow vulnerability allowing unauthenticated attackers to crash the system through malformed HTTP requests
• CVE-2024-52320 (CVSS score: 9.8) - An OS command injection vulnerability enabling unauthenticated attackers to execute remote commands via malicious HTTP requests
• CVE-2024-48871 (CVSS score: 9.8) - A stack-based buffer overflow vulnerability in the handling of the 'id' cookie value, allowing attackers to execute arbitrary code through malicious HTTP requests

The researchers found that the dispatcher.cgi component was vulnerable due to unsafe usage of the sprintf function when handling cookie values. The code copies user-controlled id cookie values into a stack-based buffer without proper size validation, creating an exploitable condition.

The researchers demonstrated how an attacker could embed shellcode in an HTTP request cookie and redirect execution flow to this shellcode, ultimately achieving remote command execution on the device. This capability could potentially allow attackers to move laterally within an internal network and compromise other connected devices.

Planet Technology has addressed these vulnerabilities by releasing patched firmware version 1.305b241111 on November 15, 2024. Users are strongly advised to upgrade their devices to this version to prevent potential exploitation.