CVE-2024-8458
📋 TL;DR
PLANET Technology switches have a CSRF vulnerability in their web interface that allows unauthenticated remote attackers to trick authenticated users into performing unauthorized actions. Attackers can create administrative accounts or modify configurations by luring users to malicious websites. This affects users of vulnerable PLANET switch models with web management enabled.
💻 Affected Systems
- PLANET Technology switches (specific models not detailed in provided references)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker creates persistent administrative accounts, takes full control of network switches, reconfigures network topology, enables backdoors, and disrupts critical network infrastructure.
Likely Case
Attacker creates unauthorized administrative accounts to gain persistent access, modifies switch configurations, or disrupts network operations through unauthorized changes.
If Mitigated
With proper CSRF protections and network segmentation, impact is limited to potential temporary configuration changes that can be reverted by legitimate administrators.
🎯 Exploit Status
CSRF attacks require user interaction (visiting malicious site) but are technically simple to implement once the vulnerable endpoint is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references
Vendor Advisory: https://www.twcert.org.tw/en/cp-139-8066-d6504-2.html
Restart Required: Yes
Instructions:
1. Check PLANET Technology website for firmware updates. 2. Download latest firmware for your switch model. 3. Backup current configuration. 4. Upload and apply firmware update through web interface or CLI. 5. Verify update completed successfully. 6. Restore configuration if needed.
🔧 Temporary Workarounds
Disable Web Management Interface
allDisable the vulnerable web interface and use CLI or other management methods
no ip http server
no ip http secure-server
Implement CSRF Tokens Manually
allAdd CSRF protection through reverse proxy or web application firewall
🧯 If You Can't Patch
- Segment network to isolate switch management interfaces from user networks
- Implement strict access controls and monitor for unauthorized configuration changes
🔍 How to Verify
Check if Vulnerable:
Check if switch web interface lacks CSRF tokens by inspecting form submissions and comparing with known vulnerable firmware versionsCheck Version:
show versionVerify Fix Applied:
Verify firmware version is updated and test that form submissions now include CSRF tokens📡 Detection & Monitoring
Log Indicators:
- Unexpected administrative account creation
- Configuration changes from unusual IP addresses
- Multiple failed login attempts followed by successful configuration changes
Network Indicators:
- HTTP POST requests to switch management interface from external IPs
- Unusual traffic patterns to switch management ports
SIEM Query:
source="switch_logs" AND (event="user_added" OR event="config_changed") AND src_ip NOT IN [admin_networks]