Optigo Networks ONS-S8 - Spectra Aggregation Switch

Act Now9.8ICS-CERT ICSA-24-275-01Oct 1, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Optigo Networks ONS-S8 Spectra Aggregation Switch firmware versions 1.3.7 and earlier contain multiple critical vulnerabilities (CWE-98 code injection, CWE-1390 externally-controlled reference). These flaws allow unauthenticated remote attackers to achieve arbitrary code execution, upload unauthorized files, or bypass authentication controls on the device. The vulnerabilities are reachable via the management port used by OneView management software and require only network access—no valid credentials.

What this means

What could happen

An attacker with network access to the ONS-S8 management interface could run arbitrary commands on the switch, upload malicious files, or bypass authentication controls—potentially allowing them to reconfigure or disable your aggregation network, disrupt optical network traffic, or pivot into your control system from the BMS.

Who's at risk

Optical network operators and utility IT/OT teams managing Optigo Networks ONS-S8 Spectra Aggregation Switches in your network backbone. This includes water authorities and municipal utilities using optical aggregation switches to link remote substations, pump stations, or control centers. Any organization with ONS-S8 devices managing circuit aggregation in a critical infrastructure environment is at risk.

How it could be exploited

An attacker on the network segment containing the OneView management connection could send crafted requests to the ONS-S8 management interface on the vulnerable port to achieve unauthenticated remote code execution or authentication bypass. Once on the device, the attacker gains full control of the aggregation switch, which connects multiple sites or control zones.

Prerequisites

Network access to the ONS-S8 management port (OneView connection port)
No valid credentials required for initial exploitation
Device running firmware version 1.3.7 or earlier

Remotely exploitable over networkNo authentication required for exploitationLow complexity attackNo patch available from vendorCritical CVSS score (9.8)Affects network aggregation (potential for widespread disruption)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

ONS-S8 - Spectra Aggregation Switch: <=1.3.7≤ 1.3.7No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGImplement a dedicated management VLAN for the port connecting the ONS-S8 to OneView

HARDENINGUse a dedicated NIC on the BMS (building management system or management workstation) exclusively for OneView/ONS-S8 connectivity

HARDENINGConfigure router/firewall rules to whitelist only authorized devices that can reach OneView

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGEstablish a secure VPN tunnel for all OneView management connections

Mitigations - no patch available

0/1

ONS-S8 - Spectra Aggregation Switch: <=1.3.7 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the BMS and OneView management network from general corporate/production networks

CVEs (2)

CVE-2024-41925 CVE-2024-45367

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4da69d85-17e9-439f-9cb4-2ae4132ba8bd