【Vulnerability Alert】 Multiple High-Risk Vulnerabilities Found in Planet Technology Switch Devices

publish date : 2024-10-08 update date : 2024-10-08

Source: Ministry of education information & communication security contingency platform

Publication Number TACERT-ANA-2024100708102020 Publication Time 2024/10/07 08:44
Incident Type ANA-Vulnerability Alert Discovery Time 2024/10/03 14:49
Impact Level Medium  
[Subject]
【Vulnerability Alert】 Multiple High-Risk Vulnerabilities Found in Planet Technology Switch Devices
[Content]
Forwarded from TWCERTCC-200-202410-00000001

[Planet Technology Switch Devices - Remote Privilege Escalation Using Hard-coded Credentials] (CVE-2024-8448, CVSS 3.x: 8.8) Certain command-line interfaces of specific models of Planet Technology switches have hard-coded account credentials. A remote attacker who has obtained general permissions can use these credentials to gain access to a Linux root shell.

[Planet Technology Switch Devices - Missing Authentication for Multiple HTTP Routes] (CVE-2024-8456, CVSS 3.x: 9.8) Some models of Planet Technology switches lack proper access controls for firmware upload and download functions. This allows unauthorized remote attackers to download and upload firmware and system configuration settings, ultimately gaining full control of the device.

[Planet Technology Switch Devices - Cross-site Request Forgery] (CVE-2024-8458, CVSS 3.x: 8.8) The web application on certain models of Planet Technology switches contains a Cross-Site Request Forgery (CSRF) vulnerability. Unauthorized remote attackers can deceive users into visiting a malicious website and then impersonate the user to perform actions such as adding accounts.

Information Sharing Level: WHITE (Information content can be publicly disclosed)
[Affected Platform]
●GS-4210-24PL4C hardware 2.0
●GS-4210-24P2S hardware 3.0
[Recommended Actions]
1.Update the firmware of GS-4210-24PL4C hardware 2.0 to version 2.305b240719 or later.
2.Update the firmware of GS-4210-24P2S hardware 3.0 to version 3.305b240802 or later.
[Reference]
1.Planet Technology Switch Devices - Remote Privilege Escalation Using Hard-coded Credentials: https://www.twcert.org.tw/tw/cp-132-8045-a2804-1.html
2.Planet Technology Switch Devices - Missing Authentication for Multiple HTTP Routes: https://www.twcert.org.tw/tw/cp-132-8061-91872-1.html
3.Planet Technology Switch Devices - Cross-site Request Forgery: https://www.twcert.org.tw/tw/cp-132-8065-579c1-1.html
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer: Computer Center