Optigo Networks ONS-S8 - Spectra Aggregation Switch

Plan PatchCVSS 9.8ICS-CERT ICSA-24-275-01Oct 1, 2024

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The ONS-S8 Spectra Aggregation Switch contains authentication bypass, arbitrary file upload, and remote code execution vulnerabilities (CWE-98, CWE-1390). Successful exploitation allows an unauthenticated attacker on the network to execute arbitrary commands on the device, upload malicious files, or bypass authentication controls. No vendor patch is planned for firmware versions 1.3.7 and earlier. The vulnerability affects the management interface and the OneView connection port.

What this means

What could happen

An unauthenticated attacker on the network could gain remote code execution on the ONS-S8 switch, potentially allowing them to intercept, modify, or disrupt aggregated optical traffic and management traffic between the OT network and the control system management interface.

Who's at risk

Organizations operating Optigo Networks ONS-S8 Spectra Aggregation Switches should care about this issue. These switches are optical network devices commonly used in utilities and critical infrastructure to aggregate and manage high-bandwidth communication links between control systems, substations, and centralized management platforms. An attacker gaining control of the switch could intercept or disrupt all traffic passing through it.

How it could be exploited

An attacker with network access to the management VLAN or OneView connection point could exploit the authentication bypass vulnerability to gain administrative access to the ONS-S8. From there, the attacker could upload arbitrary files or execute remote commands on the switch without needing valid credentials.

Prerequisites

Network access to the ONS-S8 management interface or OneView connection port
The ONS-S8 must be running firmware version 1.3.7 or earlier

remotely exploitableno authentication requiredlow complexityno patch availablecritical CVSS score (9.8)affects network infrastructure carrying OT traffic

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

ONS-S8 - Spectra Aggregation Switch: <=1.3.7≤ 1.3.7No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

HARDENINGCreate a dedicated management VLAN for the port on the ONS-S8 that connects to OneView and restrict access to authorized management systems only

HARDENINGConfigure a firewall rule with a whitelist to permit only authorized management systems to access the ONS-S8 and OneView

HARDENINGUse a dedicated NIC on the management system that connects exclusively to OneView for OT network configuration

HARDENINGRequire all connections to OneView to be made through a secure VPN tunnel from authorized management systems

Mitigations - no patch available

0/1

ONS-S8 - Spectra Aggregation Switch: <=1.3.7 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the management VLAN on which the ONS-S8 resides from general IT network access

CVEs (2)

CVE-2024-41925 CVE-2024-45367

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4da69d85-17e9-439f-9cb4-2ae4132ba8bd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.