CVE-2024-8450
📋 TL;DR
This vulnerability affects certain PLANET Technology switch models that have a hard-coded SNMPv1 community string, allowing unauthorized remote attackers to access the SNMP service with read-write privileges. This enables attackers to modify switch configurations, disrupt network operations, and potentially gain further network access. Organizations using affected PLANET switch models are at risk.
💻 Affected Systems
- PLANET Technology switches (specific models not detailed in provided references)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over network switches, enabling them to reconfigure network topology, intercept traffic, disable network segments, and use switches as pivot points to attack other systems.
Likely Case
Attackers modify switch configurations to disrupt network operations, create network loops causing broadcast storms, or redirect traffic for interception.
If Mitigated
With proper network segmentation and SNMP access controls, impact is limited to the specific vulnerable switch and its directly connected devices.
🎯 Exploit Status
Exploitation requires only knowledge of the hard-coded community string and network access to the SNMP service. SNMPv1 is unencrypted, making traffic interception trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-8050-52f32-2.html
Restart Required: No
Instructions:
1. Contact PLANET Technology for firmware updates or patches. 2. Check vendor advisory for specific remediation guidance. 3. Apply any available firmware updates following vendor instructions.
🔧 Temporary Workarounds
Disable SNMPv1 Service
allCompletely disable the vulnerable SNMPv1 service on affected switches
Switch configuration commands vary by model - consult switch documentation for SNMP disable commands
Implement Network Access Controls
allRestrict SNMP access to trusted management networks only using ACLs
Configure switch ACLs to permit SNMP only from authorized management IP addresses
🧯 If You Can't Patch
- Isolate vulnerable switches in separate VLANs with strict firewall rules
- Implement network monitoring for SNMP traffic from unauthorized sources
🔍 How to Verify
Check if Vulnerable:
Attempt SNMP queries using the hard-coded community string (not disclosed in public references) to test for read-write accessCheck Version:
Check switch firmware version via console or web interface (commands vary by model)Verify Fix Applied:
Test SNMP access after remediation - successful queries should fail or return access denied📡 Detection & Monitoring
Log Indicators:
- SNMP authentication failures
- SNMP set operations from unauthorized sources
- Configuration changes via SNMP
Network Indicators:
- SNMPv1 traffic to switch management interfaces
- SNMP traffic from unexpected source IPs
SIEM Query:
source_port=161 OR destination_port=161 AND (protocol=udp AND (snmp.community_string="hardcoded_string" OR snmp.version=1))