Critical OAS bugs open up industrial systems for takeover


According to Cisco Talos, a pair of critical flaws in the vendor Open Automation Software (OAS), a vendor of the Internet Internet of Things data platform, are threatening the Industrial Control System (ICS).

They are part of a group of eight vulnerabilities in OAS software that vendors patched this week.

One of the flaws (CVE-2022-26082) that allows attackers to run malicious code remotely on a target machine to disrupt or alter its effectiveness; Enables unauthorized use of the REST Application Programming Interface (API) for data configuration and viewing on another system (CVE-2022-26833).

In his advisory, Cisco described the Talos Remote Code Execution (RCE) vulnerability as an intensity score of 9.1 on a 10-point scale and the API-related error as a score of 9.4.

The remaining errors exist in various components of the OAS platform V16.00.0112. These were rated as less severe (with a vulnerability-severity rating of 4.9 to 7.5), and included disclosure issues, service-denial errors, and vulnerabilities that allow attackers to make unauthorized configuration changes and other changes to vulnerabilities on the system.

“Cisco Talos has worked with open automation software to ensure that these issues have been addressed, and an update is available for the affected customers, in compliance with Cisco’s vulnerability policy.” Advice
Note that the company recommends that companies that use vulnerable software ensure that an attacker who exploits vulnerabilities has the correct network segmentation to minimize access to compromised networks.

OAS’s open automation software platform is primarily designed to allow companies to transfer data across different platforms in an industrial IoT environment – for example, from Allen Bradley Programmable Logic Controller (PLC) to a Siemens PLC. Central to the platform is a technology called Universal Data Connect that enables data to flow in and out of IoT devices, PLCs, applications and databases. The OAS describes its technology as useful for logging data into the ICS environment and then for keeping it in an open format and also for collecting data from different sources. OAS has clients across a wide range of industries, including power and utilities, chemicals, construction, transportation, and oil and gas.

Critical error

Weaknesses in RCE implementation (CVE-2022-26082) That Cisco Talos discovered that a secure file transfer functionality exists on the OAS platform V16.00.0112. An attacker can exploit vulnerabilities by sending a sequence of properly formatted configuration messages to the OAS platform to upload files arbitrarily. Cisco said the problem was related to missing authentication for a critical function.

“The easiest way to alleviate this vulnerability is to block access to the configuration port (TCP / 58727 default) when the OAS platform is not actively configured,” said Cisco Talos.

REST API-related vulnerabilities (CVE-2022-26833) That Cisco discovered and reported to the OAS also stemmed from improper authentication. The error provides a way for existing and unproven attackers on OAS platform V16.00.0121 to use the REST API to make malicious changes to the platform. Attackers can trigger the error by sending a series of HTTP requests made specifically to the software.

To reduce the risk of this error, Cisco recommends that companies create custom security group and user accounts with only the necessary permissions and then restrict access to these accounts.

Researchers are discovering a growing number of vulnerabilities in the ICS and Operational Technology (OT) environment in recent years. A survey published earlier this year by industry cybersecurity retailer Claroti found that vulnerabilities to these environments rose 52% in 2021 to 1,439, up from 942 in 2020. About 63% of the errors were remotely absorbable

The number of vulnerabilities reported last year is about 110% higher than the 683 errors reported in ICS technology in 2018. Last year, vulnerabilities were reported for the first time in 21 of the 82 ICS vendors affected by the error.

Source link