Vulnerabilities reported in in Open Automation Software Industrial IoT Platform
Take action: Not a panic mode patch, since the exploit still requires specific conditions to be met. But it's wise to plan for a patch activity in the next quarter. In the meantime make sure the OAS Platform is not exposed to external networks
Learn More
Cisco has reported a series of multiple vulnerabilities discovered in the Open Automation Software (OAS) Platform. These vulnerabilities can be exploited to bypass authentication, potentially leak sensitive information, and even overwrite files.
The OAS Platform plays a critical role in facilitating communication and data transfer among various servers, industrial control systems (ICS), Internet of Things (IoT) devices, and other types of interconnected devices. It is commonly employed in industrial operations and enterprise environments. The platform offers additional features such as logging, notifications, and compatibility with a wide range of platforms.
Cisco's researchers uncovered eight vulnerabilities specifically within the OAS Platform's engine configuration management functionality. This component allows users to load and save configurations onto disk and then install them on other devices. Among these vulnerabilities, three of them are rated as high-severity issues.
The most noteworthy vulnerabilities are authentication bypass flaws that can be exploited through carefully crafted requests.
CVE-2023-31242 (CVSS3 score 8.1) - the issue stems from the default configuration of the OAS engine. When initially installed, no admin user is created, and no authentication is required to access functions like creating new user accounts. Even if an admin user is subsequently created, the configuration must be saved before the engine restarts; otherwise, it will revert to its default state. An attacker could exploit this situation by using special requests to test for unauthenticated access and, if successful, create new user accounts, save the configuration, and potentially gain unauthorized access to the underlying system.
CVE-2023-34998 (CVSS3 score 8.1) - this issue allows an attacker to capture a protobuf containing valid administrator credentials and then utilize it to create their own requests. With this, the attacker could access user creation and configuration-saving functions to gain access to the underlying system.
Cisco highlights that these authentication bypass vulnerabilities could be combined with CVE-2023-34317, an improper input validation issue within the user creation functionality. This combination could allow an attacker to add a user with the username field containing an SSH key, ultimately leading to unauthorized access to the underlying system.
Furthermore, another high-severity authentication bypass vulnerability, CVE-2023-34353, enables an attacker to perform network sniffing to capture the protobuf containing admin credentials and subsequently decrypt sensitive information.
The two remaining vulnerabilities in the list have the potential to lead to information disclosure, while the other two could be exploited to create or overwrite arbitrary files and directories.
These vulnerabilities were identified in OAS Platform version 18, and the vendor has addressed these issues with the release of version 19.00.0000 of the solution, which users are strongly recommended to update to in order to mitigate these security risks.
