Open Automation Software

Open Automation Software, a major ICS platform, has a number of security flaws, according to researchers (OAS). Exploiting these flaws could lead to the execution of arbitrary code on a target device. With the latest OAS Platform upgrades, the vendors have addressed the vulnerabilities.

Open Automation Software Bugs

In the Open Automation Software (OAS) Platform, the Cisco Talos team uncovered eight separate security flaws.

According to Cisco’s statement, its researchers discovered at least two serious flaws in the platform. These are some of them:

CVE-2022-26082 (CVSS 9.1) Is a file write vulnerability in the SecureTransferFiles capability of the OAS Engine that could allow remote code execution in response to maliciously crafted network requests.

CVE-2022-26833 (CVSS 9.4) – Incorrect REST API authentication could allow unauthenticated REST API use in response to carefully crafted HTTP queries.

In addition, the following vulnerabilities were rated as having a high severity.

Information exposure issue due to cleartext transmission via OAS Engine configuration communications capabilities, CVE-2022-26077 (CVSS 7.5).

CVE-2022-26026 (CVSS 7.5) – By submitting maliciously designed network requests to the OAS Engine SecureConfigValues capability, an attacker could cause a denial of service.

Another information disclosure flaw affecting the OAS Engine SecureBrowseFile capability that an attacker could exploit with fraudulent network requests is CVE-2022-27169 (CVSS 7.5).

CVE-2022-26303 (CVSS 7.5) — An attacker may create new accounts by sending maliciously designed network requests to the SecureAddUser functionality, which exploited an external config control vulnerability.

CVE-2022-26043 (CVSS 7.5) — a similar external config hole in the SecureAddSecurity feature allows an adversary to create bespoke Security Groups in response to maliciously crafted network requests.

In addition, the researchers discovered a less serious information disclosure vulnerability in the OAS Engine SecureTransferFiles capability (CVE-2022-26067). This bug could be used to read any file in response to specially designed network requests.

OAS Patched The Bugs

OAS is a well-known ICS platform that connects industrial systems, IoT devices, SCADA systems, network points, APIs, and other software and hardware. The OAS Platform, according to its website, allows data to be transported from any source to any destination, as well as data logging, data transformations, alarms and notifications, and cross-platform interaction using SDKs for Windows, Linux, and Web applications. For industrial automation, OAS is essentially a limitless IoT Gateway.

OAS is renowned among industry heavyweights such as Intel, JBT AeroTech, and the US Navy due to its critical functionalities. It demonstrates how any flaws in this platform might be fatal to numerous sectors.

Nonetheless, with OAS Platform version 16.00.0112, the manufacturers have fixed the problems. As a result, all users are now able to upgrade to this version in order to receive the patches.