Analysis
Attacks and Vulnerabilities
Critical infrastructure
ICS Security Framework
Identity and Access Management (IAM)
Malware, Phishing & Ransomware
News
Perimeter security
Risk & Compliance
Technology & Solutions
Threat Landscape
Vulnerabilities

Vulnerabilities in OAS platform could lead to improper authentication, DoS within industrial sectors

May 30, 2022
Vulnerabilities in OAS platform could lead to improper authentication, DoS within industrial sectors

Cisco Talos has identified eight vulnerabilities in the Open Automation Software (OAS) Platform that could allow an adversary to carry out a variety of malicious actions, including improperly authenticating into the targeted device and causing a denial of service (DoS). The OAS Platform facilitates simplified data transfer between various proprietary devices and applications, including software and hardware.

A recent blog post revealed that Jared Rittle of Cisco Talos discovered these vulnerabilities.

Typically deployed across industrial control systems (ICS) and critical infrastructure environments, the OAS Platform enables connectivity between PLCs, devices, databases, and custom apps. At the heart of the OAS Platform is the Universal Data Connector, which allows the movement and transformation of data for critical business processes like machine learning, data mining, reporting, and data visualization. Once connected, data moves seamlessly within the OAS Platform. Developers and integrators can access this data programmatically through SDKs and APIs.

Vendors such as Michelin, Volvo, Intel, JBT AeroTech, Volvo, General Dynamics, the U.S. Navy, and a host of other high-profile industrial entities, currently use the OAS platform.

“The most serious of these issues is TALOS-2022-1493 (CVE-2022-26082), which an attacker could exploit to gain the ability to execute arbitrary code on the targeted machine. This issue has a severity score of 9.1 out of a possible 10,” the Cisco post said. Another vulnerability, TALOS-2022-1513 (CVE-2022-26833) has a 9.4 severity score and could lead to the unauthenticated use of the REST API, it added. 

Additionally, there are two other vulnerabilities, TALOS-2022-1494 (CVE-2022-27169) and TALOS-2022-1492 (CVE-2022-26067) could allow an attacker to obtain a directory listing at any location permissible by the underlying user by sending a specific network request, the post added. 

“Another information disclosure vulnerability TALOS-2022-1490 (CVE-2022-26077) works in the same way, but alternatively provides the attacker with a list of usernames and passwords for the platform that could be used in future attacks,” Cisco said. “TALOS-2022-1491 (CVE-2022-26026) can also be triggered by a specially crafted network request, but instead leads to a denial of service and a loss of communication,” it added. 

The other two vulnerabilities could allow an attacker to make external configuration changes, including creating a new security group on the Platform and creating new user accounts arbitrarily: TALOS-2022-1488 (CVE-2022-26303) and TALOS-2022-1489 (CVE-2022-26043), the post said.

Cisco Talos has worked with OAS to ensure that these issues are resolved and an update is available for affected customers, in adherence to Cisco’s vulnerability disclosure policy. “Additionally, affected users could mitigate these issues by ensuring that proper network segmentation is in place so adversaries have the lowest possible level of access to the network on which the OAS Platform communicates,” the post said.

“Users are encouraged to update these affected products as soon as possible: Open Automation Software OAS Platform, version 16.00.0112. Talos tested and confirmed this driver could be exploited by these vulnerabilities,” it added.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns