Cisco Talos researchers detected multiple critical vulnerabilities in Open Automation Software Platform, a solution powered by a universal data connector that allows data to be moved between programmable logic controllers (PLCs) from different vendors, from a PLC to a database, or from a database to visualization.
Researcher Jared Rittle was responsible for identifying the flaws, mentioning that successful attacks would allow threat actors to perform denial of service (DoS), arbitrary code execution, and access to sensitive information attacks.
Cisco Talos published a report with technical details of each of the flaws, available for public consultation.
Below are brief descriptions of the reported vulnerabilities, and their corresponding identification and scoring key according to the Common Vulnerability Scoring System (CVSS).
CVE-2022-26077: The software uses an unsecured communication channel to transmit sensitive information within the configuration communications functionality of OAS Engine, allowing remote hackers to track network traffic and access sensitive information.
The vulnerability received a CVSS score of 6.5/10.
CVE-2022-27169: The lack of authentication for a critical function in the OAS Engine SecureBrowseFile functionality would allow remote threat actors to send a specially crafted request and reveal sensitive information.
This is a medium severity vulnerability and received a CVSS score of 6.5/10.
CVE-2022-26082: A file write issue in the OAS Engine SecureTransferFiles functionality would allow a remote administrator to send specially crafted requests to execute arbitrary code on the target system.
The fault received a CVSS score of 7.9/10.
CVE-2022-26026: The lack of authentication for a critical function in the OAS Engine SecureConfigValues functionality would allow remote administrators to drive a DoS condition using a specially crafted request.
The flaw received a CVSS score of 6.5/10.
CVE-2022-26043: An external configuration control issue in the OAS Engine SecureAddSecurity functionality would allow remote hackers to send specially crafted requests to create custom security groups, evading the authentication process.
This is a medium severity vulnerability and received a CVSS score of 6.5/10.
CVE-2022-26067: The lack of authentication for a critical feature in the OAS Engine SecureTransferFiles functionality would allow remote administrators to send specially crafted requests to read arbitrary files on the affected system.
This is a low-risk flaw and received a CVSS score of 4.3/10.
CVE-2022-26303: The vulnerability exists due to an external configuration control issue in the OAS Engine SecureAddUser functionality. A remote attacker can send a specially crafted request and create an OAS user account.
The vulnerability received a CVSS score of 6.5/10.
According to the report, the flaws reside in Open Automation Software Platform v16.00.0112. While the flaws can be exploited by remote threat actors, no active exploitation attempts have been detected so far; still, users of affected deployments are encouraged to upgrade as soon as possible.
Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
