The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory regarding multiple vulnerabilities in Optigo Networks' ONS-S8 switch, a widely used device in building automation and industrial control systems. These flaws could allow attackers to execute remote code, bypass authentication, and compromise entire networks.

Overview of the Vulnerabilities

The CISA advisory (ICSA-23-222-01) highlights three critical vulnerabilities affecting Optigo Networks' ONS-S8 switch firmware versions prior to 4.2.0:

  • CVE-2023-29415 (CVSS 9.8): Remote code execution via improper input validation
  • CVE-2023-29416 (CVSS 8.8): Authentication bypass through hard-coded credentials
  • CVE-2023-29417 (CVSS 7.5): Information disclosure through improper access controls

Impact Analysis

These vulnerabilities present severe risks:

  • Remote Code Execution: Attackers could gain complete control over switches
  • Network Propagation: Compromised switches could attack other devices
  • Building System Takeovers: HVAC, lighting, and security systems could be manipulated
  • Data Exfiltration: Sensitive operational data could be stolen

Affected Systems

The vulnerabilities impact:

  • Optigo ONS-S8 switches running firmware < 4.2.0
  • Networks using these switches for BACnet/IP communications
  • Building automation systems in commercial/industrial facilities

Mitigation Recommendations

CISA and Optigo Networks recommend:

  1. Immediate Update: Upgrade to firmware version 4.2.0 or later
  2. Network Segmentation: Isolate building control systems from enterprise networks
  3. Access Controls: Implement strict firewall rules for BACnet/IP ports (47808)
  4. Monitoring: Deploy network intrusion detection for anomalous BACnet traffic

Technical Details

CVE-2023-29415 (RCE)

The switch's web interface improperly validates user input in diagnostic commands, allowing attackers to inject arbitrary code through crafted HTTP requests. This vulnerability requires network access but no authentication.

CVE-2023-29416 (Auth Bypass)

The device contains undocumented administrative credentials in its firmware that cannot be changed through normal configuration. These credentials provide complete device control.

CVE-2023-29417 (Info Disclosure)

The BACnet implementation leaks sensitive device information through improperly secured protocol requests, potentially revealing network architecture details.

Industry Response

Optigo Networks has released firmware version 4.2.0 addressing all vulnerabilities. The company recommends:

  • Emergency patching for all deployed devices
  • Review of all network logs for signs of compromise
  • Disabling unnecessary BACnet services

Long-Term Security Considerations

This advisory highlights broader industrial IoT security challenges:

  • Many building devices lack automatic update mechanisms
  • Legacy protocols like BACnet weren't designed with modern security
  • Convergence of OT and IT networks expands attack surfaces

Organizations should implement:

  • Regular vulnerability scanning for OT devices
  • Network behavior anomaly detection
  • Comprehensive patch management programs