CVE-2024-8448
📋 TL;DR
PLANET Technology switches contain hard-coded credentials in their command-line interface, allowing attackers with regular user access to escalate to root shell privileges. This affects organizations using vulnerable PLANET switch models, enabling complete device compromise.
💻 Affected Systems
- PLANET Technology switches (specific models not detailed in references)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover, network traffic interception, lateral movement to other systems, and persistent backdoor installation.
Likely Case
Unauthorized administrative access leading to network configuration changes, service disruption, and credential harvesting.
If Mitigated
Limited impact if network segmentation and access controls prevent regular users from reaching CLI interfaces.
🎯 Exploit Status
Exploitation requires existing CLI access but uses simple credential authentication bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in references
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-8046-057c2-2.html
Restart Required: Yes
Instructions:
1. Check PLANET vendor website for firmware updates. 2. Download latest firmware for your switch model. 3. Backup current configuration. 4. Apply firmware update via web interface or CLI. 5. Verify update completed successfully.
🔧 Temporary Workarounds
Restrict CLI Access
allLimit command-line interface access to trusted administrative networks only
Configure ACLs to restrict SSH/Telnet access to management VLAN
Disable Unused Services
allTurn off Telnet/SSH if not required for operations
no telnet server enable
no ssh server enable
🧯 If You Can't Patch
- Implement strict network segmentation to isolate switches from regular user networks
- Enable logging and monitoring for unauthorized CLI access attempts
🔍 How to Verify
Check if Vulnerable:
Attempt to log into CLI with regular user credentials and check if hard-coded credential grants root accessCheck Version:
show version (CLI command on PLANET switches)Verify Fix Applied:
After patching, verify that hard-coded credential no longer provides root shell access📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login
- Root shell access from non-admin accounts
- Unusual CLI session patterns
Network Indicators:
- Unexpected SSH/Telnet connections to switch management interfaces
- Traffic patterns indicating configuration changes
SIEM Query:
source="switch_logs" AND (event="authentication_success" AND user="regular_user") OR event="privilege_escalation"