Critical OAS Bugs Open Industrial Systems to Takeover


According to Cisco Talos, a pair of critical flaws in the Internet of Things industrial data platform provider Open Automation Software (OAS) threaten industrial control systems (ICS).

They are part of a group of eight OAS software vulnerabilities that the vendor patched this week.

Among the flaws is one (CVE-2022-26082) that gives attackers the ability to remotely execute malicious code on a targeted machine to disrupt or alter its operation; another (CVE-2022-26833) allows unauthenticated use of a REST application programming interface (API) for configuring and displaying data on systems.

In its advisory, Cisco Talos described the Remote Code Execution (RCE) vulnerability as having a severity score of 9.1 on a 10-point scale and the API-related flaw as having a score of 9. ,4.

The remaining flaws exist in various components of the OAS V16.00.0112 platform. They were rated as less severe (with vulnerability severity ratings ranging from 4.9 to 7.5) and included information disclosure issues, a denial of service flaw, and vulnerabilities that allow attackers to make unauthorized configuration changes and other modifications to vulnerable sites. systems.

“Cisco Talos has worked with Open Automation Software to ensure these issues are resolved and an update is available for affected customers, all in compliance with Cisco’s Vulnerability Disclosure Policy,” noted his opinion. The company recommended that organizations using the vulnerable software ensure that appropriate network segmentation is in place to minimize the access an attacker, who exploits the vulnerabilities, would have to the compromised network.

OAS’ open automation software platform is primarily designed to allow organizations in industrial IoT environments to move data between different platforms, for example, from an Allen Bradley Programmable Logic Controller (PLC) to a PLC Siemens. At the heart of the platform is a technology the company calls Universal Data Connect that allows data to flow to and between IoT devices, APIs, applications and databases. OAS describes its technology as also being useful for saving data in ICS environments and putting it into open formats, and for aggregating data from disparate sources. OAS has customers in multiple verticals including power and utilities, chemicals, construction, transportation, oil and gas.

Critical faults

The RCE execution vulnerability (CVE-2022-26082) discovered by Cisco Talos exists in a secure file transfer feature of the OAS platform V16.00.0112. An attacker can exploit the vulnerability by sending a sequence of properly formatted configuration messages to the OAS platform to download an arbitrary file. Cisco said the issue was related to missing authentication for a critical function.

“The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when you are not actively configuring the OAS platform,” said CiscoTalos.

The REST API vulnerability (CVE-2022-26833) that Cisco discovered and reported to OAS also stems from improper authentication. The flaw exists in the OAS V16.00.0121 platform and gives unauthenticated attackers a way to use the REST API to make malicious changes to the platform. Attackers can trigger the flaw by sending a series of specially crafted HTTP requests to the software.

To mitigate the risk of this flaw, Cisco recommended that organizations create security groups and custom user accounts with only the necessary permissions, and then restrict access to those accounts.

Researchers have discovered an increasing number of vulnerabilities in ICS and operational technology (OT) environments in recent years. A study that industrial cybersecurity provider Claroty published earlier this year showed that vulnerabilities affecting these environments increased by 52% in 2021 to 1,439, from 942 in 2020. About 63% of flaws were remotely exploitable.

The number of vulnerabilities reported last year was approximately 110% higher than the 683 vulnerabilities reported in ICS technologies in 2018. Vulnerabilities were first reported in products from 21 of the 82 ICS vendors affected by vulnerabilities l ‘last year.


Comments are closed.