Researchers discovered numerous security issues in the popular ICS platform Open Automation Software (OAS). Exploiting these vulnerabilities could allow arbitrary code execution on a target device. The vendors have patched the vulnerabilities with the latest OAS Platform updates.
Open Automation Software Bugs
The team Cisco Talos discovered eight different security bugs in Open Automation Software (OAS) Platform.
As elaborated in Cisco’s post, their researchers found at least two critical vulnerabilities affecting the platform. These include,
- CVE-2022-26082 (CVSS 9.1) – a file write vulnerability in the OAS Engine SecureTransferFiles functionality that could allow remote code execution following maliciously-crafted network requests.
- CVE-2022-26833 (CVSS 9.4) – an improper authentication in REST API could allow unauthenticated REST API use in response to specially-crafted HTTP requests.
Besides, the following vulnerabilities also achieved high-severity ratings.
- CVE-2022-26077 (CVSS 7.5) – an information disclosure vulnerability due to cleartext transmission via OAS Engine configuration communications functionality.
- CVE-2022-26026 (CVSS 7.5) – an attacker could trigger a denial of service state by sending maliciously-crafted network requests to OAS Engine SecureConfigValues functionality.
- CVE-2022-27169 (CVSS 7.5) – another information disclosure flaw affecting the OAS Engine SecureBrowseFile functionality that an attacker could trigger via malicious network requests.
- CVE-2022-26303 (CVSS 7.5) – an attacker could create new accounts by sending maliciously-crafted network requests exploiting an external config control vulnerability in the SecureAddUser functionality.
- CVE-2022-26043 (CVSS 7.5) – a similar external config flaw in the SecureAddSecurity functionality allowed the creation of custom Security Groups following maliciously-crafted network requests from an adversary.
In addition, the researchers also caught a less severe information disclosure vulnerability (CVE-2022-26067) in the OAS Engine SecureTransferFiles functionality. Exploiting this flaw allowed arbitrary file read in response to specially crafted network requests.
OAS Patched The Bugs
OAS is a known ICS platform facilitating data transfer between the software and hardware, connecting industrial systems, IoT devices, SCADA systems, network points, APIs, etc. According to its website,
The OAS Platform offers data transport from any data source to any destination, while enabling data logging, data transformations, alarms and notifications, and cross-platform integration using SDKs for Windows, Linux, and Web applications. OAS is truly an unlimited IoT Gateway for industrial automation.
Given its essential functionalities, OAS is popular among industry giants, including Intel, JBT AeroTech, and US Navy. It shows how any vulnerabilities in this platform can be lethal for various industries.
Nonetheless, the vendors have fixed the bugs with OAS Platform version 16.00.0112. Hence, all users can now upgrade to this version to receive the patches.