KnowStreaming 3.3.0 is vulnerable to Escalation of Privileges. Unauthorized users can create a new user with an admin role.

*   \[Y \] 我已经在 issues 搜索过相关问题了,并没有重复的。

你是否希望来认领这个Bug。

**Env**

*   KnowStreaming version : 3.0.0
*   Operating System version :
*   Java version :  
    This issue is tested on the website https://demo.knowstreaming.com

**Steps to reproduce this issue**

1.  Get the role id of user "admin". We can send such request to the server. The request is without cookie or token, aka it is unauthorized. If the user's id is not 1, we can guess it with brute force. As shown in the picture, we get the role id 1677.

2.  Create a new user with "admin" role. We can send such request to the server. The request is without cookie or token, aka it is unauthorized.

3.  Log on the new user with password. We logged on with an admin role.

**Expected Results**

Unauthorized users should not get user's detail info and should not create a new user.

**Actual Results**

Unauthorized users get user's detail info and create a new user. The created user logs successfully.

CVE-2023-40918: [Escalation of Privileges] Unauthorized users can create a  new user with admin role	 · Issue #1128 · didi/KnowStreaming

Aruba AirWave before 8.0.7 allows XSS attacks agsinat an administrator.

CVE-2015-1390

An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially-crafted series of network requests can lead to arbitrary authentication. An attacker can send a sequence of requests to trigger this vulnerability.

**SUMMARY**

An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially-crafted series of network requests can lead to arbitrary authentication. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Open Automation Software OAS Platform v18.00.0072

**PRODUCT URLS**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 SCORE**

8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-284 - Improper Access Control

**DETAILS**

The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.

By default, when the OAS Engine is installed, no admin application user is set. Without an admin application user, no authentication is required to access functionality that would otherwise require valid credentials, including creating new users. Additionally, if an admin user is created but the configuration is not saved before the OAS Engine restarts, then those changes will be lost and the system will revert to disregarding the authentication structure.

While the credentials will not end up being verified in this case, all privileged requests must still contain a valid authentication structure.

Through use of the following protobuf request, it is possible to check if unauthenticated access is possible through use of an OASPacket with a CommandNumber of 0x13F.

    message OASPacket {
      int32 Version = 1;
      int32 LDCMode = 2;
      int32 CommandNumber = 3;
      string LDCHost = 4;
      string SendingGUID = 5;
      bytes DataAsBytes = 6;
    }
    

If successful, a protobuf response similar to the following will be provided that contains versioning and other engine information. If the MtcExpirationString value contains the string “Create an Admin User” it is indicative of a vulnerable case.

    message Version_Runtime_License {
      int32 Version = 1;
      bool Runtime = 2;
      string LicenseString = 3;
      string MtcExpirationString = 4;
      bool NetCore = 5;
      bool WinOS = 6;
      bool LinuxOS = 7;
      string AssemblyVersion = 8;
      string BaseDirectory = 9;
      bool EnableActiveDirectory = 10;
      string ActiveDirectoryEntry = 11;
      string ActiveDirectoryFilter = 12;
    }
    

When combined with the user creation and save configuration functionality, it is possible to gain access to the underlying system.

**Mitigation**

The easiest way to avoid this case is to ensure that an OAS admin user is set and the configuration is saved immediately upon installation of the OAS Engine. Additionally, access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration.

**VENDOR RESPONSE**

The fixed version v19 can be downloaded from: https://openautomationsoftware.com/downloads/releases/

**TIMELINE**

2023-06-22 - Vendor Disclosure  
2023-09-02 - Vendor Patch Release  
2023-09-05 - Public Release

Discovered by a member of Cisco Talos.

CVE-2023-31242: TALOS-2023-1769 || Cisco Talos Intelligence Group

An improper input validation vulnerability exists in the OAS Engine User Creation functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to unexpected data in the configuration. An attacker can send a sequence of requests to trigger this vulnerability.

**SUMMARY**

An improper input validation vulnerability exists in the OAS Engine User Creation functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to unexpected data in the configuration. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Open Automation Software OAS Platform v18.00.0072

**PRODUCT URLS**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 SCORE**

6.5 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

**CWE**

CWE-20 - Improper Input Validation

**DETAILS**

The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.

Access to the various features of the OAS Engine and associated data is controlled through use of OAS engine application users. Application administrator users are able to add additional users to the application with varying levels of permissions. It is important to note that these users exist within the OAS Engine exclusively, not on the underlying system.

To add a new user, a String protobuf can be leveraged as part of a greater authenticated request to specify the username. The format of this structure resembles the following, where the String field contains the username to create:

    message String {
      int32 Version = 1;
      U_EP UEP = 2;
      string String = 3;
    }
    

When adding a user, no filtering is performed on the value entered for the username, allowing a wide variety of characters not appropriate for a username to be entered and subsequently stored to the running configuration.

When combined with one of the authentication bypass vulnerabilities and the save configuration functionality, it is possible to gain access to the underlying system by adding a user with the username field containing an SSH key.

**Mitigation**

Access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration.

**VENDOR RESPONSE**

The fixed version v19 can be downloaded from: https://openautomationsoftware.com/downloads/releases/

**TIMELINE**

2023-06-22 - Vendor Disclosure  
2023-09-02 - Vendor Patch Release  
2023-09-05 - Public Release

Discovered by a member of Cisco Talos.

CVE-2023-34317: TALOS-2023-1772 || Cisco Talos Intelligence Group

An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to arbitrary authentication. An attacker can sniff network traffic to trigger this vulnerability.

**SUMMARY**

An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to arbitrary authentication. An attacker can sniff network traffic to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Open Automation Software OAS Platform v18.00.0072

**PRODUCT URLS**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 SCORE**

8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-319 - Cleartext Transmission of Sensitive Information

**DETAILS**

The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.

Many of the valid OAS Engine requests require application administrator credentials to run successfully. These credentials are wrapped in a U_EP protobuf and then included as a field inside of the greater request. The format of this structure resembles the following, where the DataAsBytes field contains the encrypted and serialized data of a valid User_EncryptedPassword protobuf.

    message U_EP {
      int32 Version = 1;
      int32 Seed = 2;
      bytes DataAsBytes = 3;
    }
    
    message User_EncryptedPassword {
      string Username = 1;
      string EncyprtedPassword = 2;
    }
    

When a privileged request is sent by a legitimate administrator to the OAS Engine, the traffic is sent unencrypted across the wire. As such, it is possible for a bad actor capable of sniffing traffic between the client and OAS Engine to capture a valid U_EP. This captured U_EP protobuf can then be used by the attacker to craft their own successful privileged request. Further, any captured U_EP remains valid until the associated user account has been deleted.

When combined with the user creation and save configuration functionality, it is possible to gain access to the underlying system.

**Mitigation**

Access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration.

**VENDOR RESPONSE**

The fixed version v19 can be downloaded from: https://openautomationsoftware.com/downloads/releases/

**TIMELINE**

2023-06-22 - Vendor Disclosure  
2023-09-02 - Vendor Patch Release  
2023-09-05 - Public Release

Discovered by a member of Cisco Talos.

CVE-2023-34998: TALOS-2023-1770 || Cisco Talos Intelligence Group

An information disclosure vulnerability exists in the OAS Engine configuration management functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to a disclosure of sensitive information. An attacker can send a sequence of requests to trigger this vulnerability.

**SUMMARY**

An information disclosure vulnerability exists in the OAS Engine configuration management functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to a disclosure of sensitive information. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Open Automation Software OAS Platform v18.00.0072

**PRODUCT URLS**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 SCORE**

6.5 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-200 - Information Exposure

**DETAILS**

The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.

Through the OAS Configuration tool, the functionality to load a saved configuration from disk or save a running configuration to disk is exposed to authenticated application users. Accompanying the configuration management tools is a remote file browser that allows users to see what files exist on the remote system.

It is important to note that these users exist within the OAS Engine exclusively, not on the underlying system. This means that an application user who is not authorized on the underlying system is capable of viewing the directory tree anywhere that the underlying OAS user system account has access.

To list existing files, a Browse_file protobuf can be leveraged as part of a greater authenticated request. The format of this structure resembles the following, where the GetDrives, GetDirectories, and GetFiles fields can be set or unset depending on the desired results, the DirectoryPath field contains the absolute path to the directory that should be listed and the FileExtension field contains the file extension on which to filter.

    message Browse_File {
      int32 Version = 1;
      U_EP UEP = 2;
      bool GetDrives = 3;
      bool GetDirectories = 4;
      bool GetFiles = 5;
      string DirectoryPath = 6;
      string FileExtension = 7;
    }
    

**Mitigation**

Access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration. Additionally, where possible restrict read/write access for the OAS user to only locations that can safely be exposed to anyone on the network.

**VENDOR RESPONSE**

The fixed version v19 can be downloaded from: https://openautomationsoftware.com/downloads/releases/

**TIMELINE**

2023-06-22 - Vendor Disclosure  
2023-09-02 - Vendor Patch Release  
2023-09-05 - Public Release

Discovered by a member of Cisco Talos.

CVE-2023-32271: TALOS-2023-1774 || Cisco Talos Intelligence Group

A file write vulnerability exists in the OAS Engine configuration functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to arbitrary file creation or overwrite. An attacker can send a sequence of requests to trigger this vulnerability.

**SUMMARY**

A file write vulnerability exists in the OAS Engine configuration functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to arbitrary file creation or overwrite. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Open Automation Software OAS Platform v18.00.0072

**PRODUCT URLS**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 SCORE**

6.5 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

**CWE**

CWE-73 - External Control of File Name or Path

**DETAILS**

The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.

The OAS configuration tool provides a feature to save the running configuration to disk on the OAS engine server. When this information gets saved, the user specifies both the path and filename, restricted only by the permissions of the underlying OAS user system account. If the chosen file already exists, the contents of that file will be replaced with the configuration data.

To overwrite a file, a String protobuf, can be leveraged as part of a greater authenticated request to specify the filename. The format of this structure resembles the following, where the String field contains the absolute path to the target file:

    message String {
      int32 Version = 1;
      U_EP UEP = 2;
      string String = 3;
    }
    

Configuration data cannot be directly controlled, but it is possible to affect a subset of the data by strategically creating elements within the application, such as creating a new user.

When combined with one of the authentication bypass vulnerabilities and the user creation functionality, it is possible to gain access to the underlying system by overwriting the OAS user’s authorized_keys file with an attacker-controlled SSH key.

**Mitigation**

Access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration. Additionally, where possible, restrict read/write access for the OAS user to only locations that can safely be exposed to anyone on the network.

**VENDOR RESPONSE**

The fixed version v19 can be downloaded from: https://openautomationsoftware.com/downloads/releases/

**TIMELINE**

2023-06-22 - Vendor Disclosure  
2023-09-02 - Vendor Patch Release  
2023-09-05 - Public Release

Discovered by a member of Cisco Talos.

CVE-2023-32615: TALOS-2023-1771 || Cisco Talos Intelligence Group

Unrestricted Upload of File with Dangerous Type vulnerability in Bookreen allows OS Command Injection.This issue affects Bookreen: before 3.0.0.



CVE-2023-3375

An authentication bypass vulnerability exists in the OAS Engine authentication functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted network sniffing can lead to decryption of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.

**SUMMARY**

An authentication bypass vulnerability exists in the OAS Engine authentication functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted network sniffing can lead to decryption of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Open Automation Software OAS Platform v18.00.0072

**PRODUCT URLS**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 SCORE**

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-330 - Use of Insufficiently Random Values

**DETAILS**

The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.

Many of the valid OAS Engine requests require application administrator credentials to run successfully. These credentials are wrapped in a U_EP protobuf and then included as a field inside of the greater request. The format of this structure resembles the following, where the DataAsBytes field contains the encrypted and serialized data of a valid User_EncryptedPassword protobuf.

    message U_EP {
      int32 Version = 1;
      int32 Seed = 2;
      bytes DataAsBytes = 3;
    }
    

The serialized User_EncryptedPassword structure is encrypted using AES with mode CBC. The key is a 32-byte value that is derived from a modified seed value that is provided as an entry in the U_EP structure then concatenated with a subset of a base key. Using the procedure outlined below it is possible to obtain the original key:

    basekey = 'eh84hsa8jkla2othiqugua4q398rsuq4'
    key = str(uep.Seed - 3274)
    if len(key) < 32:
      key += basekey[0:32-len(key)]
    key = bytes(key, 'utf-8')
    

This key can then be used in conjunction with a null initialization vector to decrypt the serialized User_EncryptedPassword data. Once deserialized, the resulting data resembles the following:

    message User_EncryptedPassword {
      string Username = 1;
      string EncyprtedPassword = 2;
    }
    

**Mitigation**

Access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration.

**VENDOR RESPONSE**

The fixed version v19 can be downloaded from: https://openautomationsoftware.com/downloads/releases/

**TIMELINE**

2023-06-22 - Vendor Disclosure  
2023-09-02 - Vendor Patch Release  
2023-09-05 - Public Release

Discovered by a member of Cisco Talos.

CVE-2023-34353: TALOS-2023-1776 || Cisco Talos Intelligence Group

**SUMMARY**

An information disclosure vulnerability exists in the OAS Engine configuration management functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to a disclosure of sensitive information. An attacker can send a sequence of requests to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Open Automation Software OAS Platform v18.00.0072

**PRODUCT URLS**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 SCORE**

3.1 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

**CWE**

CWE-209 - Information Exposure Through an Error Message

**DETAILS**

The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.

Through the OAS Configuration tool, the functionality to load a saved configuration from disk is exposed to authenticated application users. Accompanying the configuration management tools is a remote file browser that allows users to view and subsequently select a file on the system to load. It is important to note that these users exist within the OAS Engine exclusively, not on the underlying system.

When a file is chosen that does not conform to the expected configuration format, the first 0x11 bytes of the file are sometimes leaked in the response error message.

To select a file to attempt to load, a String protobuf can be leveraged as part of a greater authenticated request to specify the filename. The format of this structure resembles the following, where the String field contains the absolute path to the target file:

    message String {
      int32 Version = 1;
      U_EP UEP = 2;
      string String = 3;
    }
    

If the chosen file does not conform to the expected format, a response similar to the following will sometimes be returned:

    Exception: The input stream is not a valid binary format. The starting contents (in bytes) are: 75-6E-61-6D-65-3A-6F-61-73-75-73-65-72-0A-70-61-74 ...'
    

**Mitigation**

Access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration. Additionally, where possible restrict read/write access for the OAS user to only locations that can safely be exposed to anyone on the network.

**VENDOR RESPONSE**

The fixed version v19 can be downloaded from: https://openautomationsoftware.com/downloads/releases/

**TIMELINE**

2023-06-22 - Vendor Disclosure  
2023-09-02 - Vendor Patch Release  
2023-09-05 - Public Release

Discovered by a member of Cisco Talos.

Source

CVE