Critical OAS Bugs Open Industrial Systems to Takeover

The most serious flaw gives attackers a way to remotely execute code on systems that many organizations use to move data in critical ICS environments, security vendor says.

3 Min Read
multiple computer screens in SOC
Source: Gorodenkoff via Shutterstock

A pair of critical flaws in industrial Internet of Things data platform vendor Open Automation Software (OAS) are threatening industrial control systems (ICS), according to Cisco Talos.

They're part of a group of eight vulnerabilities in OAS software that the vendor patched this week.

Among the flaws is one (CVE-2022-26082) that gives attackers the ability to remotely execute malicious code on a targeted machine to disrupt or alter its functioning; another (CVE-2022-26833) enables unauthenticated use of a REST application programming interface (API) for configuration and viewing data on systems. 

In its advisory, Cisco Talos described the remote code execution (RCE) vulnerability as having a severity score of 9.1 on a 10-point scale and the API-related flaw as having a score of 9.4.

The remaining flaws exist in different components of OAS Platform V16.00.0112. They were assessed as being less severe (with vulnerability-severity ratings that range from 4.9 to 7.5), and included information disclosure issues, a denial-of-service flaw, and vulnerabilities that allow attackers to make unauthorized configuration changes and other modifications on vulnerable systems. 

"Cisco Talos worked with Open Automation Software to ensure that these issues are resolved, and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy," its advisory noted. The company recommended that organizations using the vulnerable software ensure that proper network segmentation is in place to minimize the access that an attacker, who exploited the vulnerabilities, would have on the compromised network.

OAS's Open Automation Software Platform is primarily designed to let organizations in industrial IoT environments move data between different platforms — for instance, from an Allen Bradley programmable logic controller (PLC) to a Siemens PLC. Central to the platform is a technology the company calls Universal Data Connect that enables data to flow from and between IoT devices, PLCs, applications, and databases. OAS describes its technology as also being useful for logging data in ICS environments and putting then in open formats, and for aggregating data from disparate sources. OAS has customers from across multiple industry verticals including power and utilities, chemical, construction, transportation, and oil and gas.

Critical Flaws

The RCE execution vulnerability (CVE-2022-26082) that Cisco Talos discovered exists in a secure file transfer functionality in the OAS Platform V16.00.0112. An attacker can exploit the vulnerability by sending a sequence of properly formatted configuration messages to the OAS Platform to upload an arbitrary file. Cisco said the issue had to do with missing authentication for a critical function. 

"The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform," Cisco Talos said.

The REST API-related vulnerability (CVE-2022-26833) that Cisco discovered and reported to OAS also stems from improper authentication. The flaw exists in OAS Platform V16.00.0121 and gives unauthenticated attackers a way to use the REST API to make malicious changes to the platform. Attackers can trigger the flaw by sending a series of specially crafted HTTP requests to the software. 

To mitigate the risk from this flaw, Cisco recommended that organizations create custom security groups and user accounts with only the needed permissions and then restrict access to these accounts. 

Researchers have been discovering a steadily growing number of vulnerabilities in ICS and operational technology (OT) environments in recent years. A study that industrial cybersecurity vendor Claroty released earlier this year showed vulnerabilities impacting these environments increased 52% in 2021 to 1,439, compared to 942 in 2020. About 63% of the flaws were remotely exploitable. 

The number of vulnerabilities reported last year was some 110% more than the 683 flaws reported in ICS technologies in 2018. Vulnerabilities were reported for the first time in products from 21 of the 82 ICS vendors that were affected by flaws last year.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights