Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-34998: TALOS-2023-1770 || Cisco Talos Intelligence Group

An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to arbitrary authentication. An attacker can sniff network traffic to trigger this vulnerability.

CVE
#vulnerability#windows#linux#cisco#git#intel#auth#docker

SUMMARY

An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to arbitrary authentication. An attacker can sniff network traffic to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Open Automation Software OAS Platform v18.00.0072

PRODUCT URLS

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

CVSSv3 SCORE

8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-319 - Cleartext Transmission of Sensitive Information

DETAILS

The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.

Many of the valid OAS Engine requests require application administrator credentials to run successfully. These credentials are wrapped in a U_EP protobuf and then included as a field inside of the greater request. The format of this structure resembles the following, where the DataAsBytes field contains the encrypted and serialized data of a valid User_EncryptedPassword protobuf.

message U_EP {
  int32 Version = 1;
  int32 Seed = 2;
  bytes DataAsBytes = 3;
}

message User_EncryptedPassword {
  string Username = 1;
  string EncyprtedPassword = 2;
}

When a privileged request is sent by a legitimate administrator to the OAS Engine, the traffic is sent unencrypted across the wire. As such, it is possible for a bad actor capable of sniffing traffic between the client and OAS Engine to capture a valid U_EP. This captured U_EP protobuf can then be used by the attacker to craft their own successful privileged request. Further, any captured U_EP remains valid until the associated user account has been deleted.

When combined with the user creation and save configuration functionality, it is possible to gain access to the underlying system.

Mitigation

Access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration.

VENDOR RESPONSE

The fixed version v19 can be downloaded from: https://openautomationsoftware.com/downloads/releases/

TIMELINE

2023-06-22 - Vendor Disclosure
2023-09-02 - Vendor Patch Release
2023-09-05 - Public Release

Discovered by a member of Cisco Talos.

Related news

OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges

Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine.  Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want to take the time

Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication

OAS Platform allows various devices, including PLCs, servers, files, databases and internet-of-things platforms to communicate with one another and share data when they otherwise would be unable to because of their various protocols.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907