Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-26833: TALOS-2022-1513 || Cisco Talos Intelligence Group

An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this vulnerability.

CVE
#vulnerability#cisco#js#intel#auth

Summary

An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this vulnerability.

Tested Versions

Open Automation Software OAS Platform V16.00.0121

Product URLs

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

CVSSv3 Score

9.4 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

CWE

CWE-306 - Missing Authentication for Critical Function

Details

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

Included with the platform is a REST API designed to give programmatic access for making configuration changes and viewing data. By default this API ships enabled on port 58725 and supports use of the Default User for a subset of its functionality.

Authentication as the Default User is possible through use of a blank username and password sent to the authenticate endpoint with a request similar to the following:

POST /OASREST/v2/authenticate HTTP/1.1
Host: ip_addr:58725
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/json
Content-Length: 32

{"username": "", "password": ""}

When successful, this request returns a message similar to the following:

HTTP/1.1 200 OK
Date: Thu, 07 Apr 2022 18:01:41 GMT
Content-Type: application/json; charset=utf-8
Server: Kestrel
Content-Length: 211
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *

{"status":"OK","data":{"clientid":"e1393f60-9453-4bed-b427-63ebdb7b0f92","token":"6a4fa444-e42b-4fa1-99f0-f72ddaabcaa7"},"messages":["Default credential provided - access to data and operations may be limited"]}

With valid clientid and token parameters, it is then possible to make any desired change to the configuration of the platform. Notably the API can be used to perform the following operations:

  1. read the existing configuration, usernames, and groups through use of the options, users, and security GET endpoints
  2. create a new security group and user with greater permissions than the default user through use of the users and security POST endpoints
  3. change the port on which various OAS services listen through use of the options POST endpoint

Mitigation

The easiest way to mitigate attempts to exploit this vulnerability is to create custom Security Groups and User Accounts with only the permissions necessary to complete the needed tasks, and then restrict the access provided by the Default Security Group as much as is allowed. Custom Security Groups and User Accounts can be created through either the OAS Configuration Tool or the REST API. Once custom accounts are successfully created, the Default Security Group should be stripped of all permissions. The easiest way to accomplish this is to use the OAS Configuration Tool by navigating to the Configure > Security menu, selecting the Default group, selecting Disable All for the feature choice, and finally applying the change. When performed successfully this will provide an error any time a request is made as the Default User.

Timeline

2022-04-26 - Vendor Disclosure
2022-05-22 - Vendor Patch Release
2022-05-25 - Public Release

Discovered by Jared Rittle of Cisco Talos.

Related news

Critical OAS Bugs Open Industrial Systems to Takeover

The most serious flaw gives attackers a way to remotely execute code on systems that many organizations use to move data in critical ICS environments, security vendor says.

Critical Flaws in Popular ICS Platform Can Trigger RCE

Cisco Talos discovered eight vulnerabilities in the Open Automation Software, two of them critical, that pose risk for critical infrastructure networks.

Vulnerability Spotlight: Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service

Jared Rittle of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.  Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software Platform that could allow an adversary to carry out a variety of malicious actions, including improperly authenticating into... [[ This is only the beginning! Please visit the blog for the complete entry ]]

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907