Jared Rittle of Cisco Talos discovered several critical and high-severity vulnerabilities in the Open Automation Software Platform that allow attackers to execute remote code.
The researcher found eight vulnerabilities in the Open Automation Software Platform that could allow an attacker to carry out a variety of malicious actions, including improperly authenticating into the targeted device and causing a denial of service.
Open Automation Software is a US-based company that provides connectivity solutions for ICS or IoT devices, databases, and custom applications. The company’s Open Automation Software (OAS) Platform, powered by a universal data connector, can be used to move data between PLCs from different vendors, from a PLC to a database, or from a database to visualization.
Vulnerabilities in Open Automation Software Platform
The two vulnerabilities were assigned a “critical” severity rating, tracked as (CVE-2022-26082), which an attacker could exploit to gain the ability to execute arbitrary code on the targeted machine. This issue has a severity score of 9.1 out of a possible 10.
Another vulnerability is tracked as (CVE-2022-26833) which has a 9.4 severity score and could lead to the unauthenticated use of the REST API.
The other two vulnerabilities were identified and tracked as (CVE-2022-27169) and (CVE-2022-26067) which could allow an attacker to obtain a directory listing at any location permissible by the underlying user by sending a specific network request.
Further, the information disclosure vulnerability is tracked as (CVE-2022-26077) which provides the attacker with a list of usernames and passwords for the platform that could be used in future attacks.
The vulnerability tracked as (CVE-2022-26026) will be activated by a specially crafted network request, leading to a denial of service and a loss of communication.
The other two vulnerabilities allow an attacker to make external configuration changes, including creating a new security group on the Platform and creating new user accounts arbitrarily which are tracked as (CVE-2022-26303) and (CVE-2022-26043).
Cisco Talos make sure that these vulnerabilities are fixed and an update is available for affected customers. The company recommended that organizations using the vulnerable software ensure suitable network segmentation is in place so that the attackers have the lowest possibility of access to the network on which the OAS Platform communicates.
Cisco advises the users to update these affected products as soon as possible: Open Automation Software OAS Platform, version 16.00.0112.