Critical OAS Bugs Open Industrial Systems to Takeover

A pair of critical flaws in industrial Internet of Things data platform vendor Open Automation Software (OAS) are threatening industrial control systems (ICS), according to Cisco Talos.

They’re part of a group of eight vulnerabilities in OAS software that the vendor patched this week.

Among the flaws is one (CVE-2022-26082) that gives attackers the ability to remotely execute malicious code on a targeted machine to disrupt or alter its functioning; another (CVE-2022-26833) enables unauthenticated use of a REST application programming interface (API) for configuration and viewing data on systems.

In its advisory, Cisco Talos described the remote code execution (RCE) vulnerability as having a severity score of 9.1 on a 10-point scale and the API-related flaw as having a score of 9.4.

The remaining flaws exist in different components of OAS Platform V16.00.0112. They were assessed as being less severe (with vulnerability-severity ratings that range from 4.9 to 7.5), and included information disclosure issues, a denial-of-service flaw, and vulnerabilities that allow attackers to make unauthorized configuration changes and other modifications on vulnerable systems.

“Cisco Talos worked with Open Automation Software to ensure that these issues are resolved, and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy,” its advisory noted. The company recommended that organizations using the vulnerable software ensure that proper network segmentation is in place to minimize the access that an attacker, who exploited the vulnerabilities, would have on the compromised network.

OAS’s Open Automation Software Platform is primarily designed to let organizations in industrial IoT environments move data between different platforms — for instance, from an Allen Bradley programmable logic controller (PLC) to a Siemens PLC. Central to the platform is a technology the company calls Universal Data Connect that enables data to flow from and between IoT devices, PLCs, applications, and databases. OAS describes its technology as also being useful for logging data in ICS environments and putting then in open formats, and for aggregating data from disparate sources. OAS has customers from across multiple industry verticals including power and utilities, chemical, construction, transportation, and oil and gas.

Critical Flaws

The RCE execution vulnerability (CVE-2022-26082) that Cisco Talos discovered exists in a secure file transfer functionality in the OAS Platform V16.00.0112. An attacker can exploit the vulnerability by sending a sequence of properly formatted configuration messages to the OAS Platform to upload an arbitrary file. Cisco said the issue had to do with missing authentication for a critical function.

“The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform,” Cisco Talos said.

The REST API-related vulnerability (CVE-2022-26833) that Cisco discovered and reported to OAS also stems from improper authentication. The flaw exists in OAS Platform V16.00.0121 and gives unauthenticated attackers a way to use the REST API to make malicious changes to the platform. Attackers can trigger the flaw by sending a series of specially crafted HTTP requests to the software.

To mitigate the risk from this flaw, Cisco recommended that organizations create custom security groups and user accounts with only the needed permissions and then restrict access to these accounts.

Researchers have been discovering a steadily growing number of vulnerabilities in ICS and operational technology (OT) environments in recent years. A study that industrial cybersecurity vendor Claroty released earlier this year showed vulnerabilities impacting these environments increased 52% in 2021 to 1,439, compared to 942 in 2020. About 63% of the flaws were remotely exploitable.

The number of vulnerabilities reported last year was some 110% more than the 683 flaws reported in ICS technologies in 2018. Vulnerabilities were reported for the first time in products from 21 of the 82 ICS vendors that were affected by flaws last year.