Critical vulnerabilities found in OAS industrial automation software

OAS Platform used in many industrial IoT and SCADA systems has bugs that could be exploited for unauthorised access and remote code execution

Two critical vulnerabilities have been found in the widely used OAS Platform industrial automation software that could leave it open to remote code execution (RCE) and unauthorised access attacks.

Other flaws could disclose sensitive data or allow a detail of service (DoS) attack were also discovered.

The bugs were reported by Cisco Talos which says it worked with the platform's vendor, Colorado-based Open Automation Software, to produce an update for the affected OAS Platform, version 16.00.0112.

OAS Platform is described by its maker as 'an unlimited IoT gateway for industrial automation'. It provides connectivity between multiple types of data source and includes logging, data transformations, alarms and notifications and cross-platform integration.

It is used in industrial applications including IoT and supervisory control and data acquisition (SCADA) systems, by organisations including the US Navy, Intel, Volvo and Michelin.

The two critical vulnerabilities identified by Cisco Talos are:

• CVE-2022-26082 (CVSS score 9.1 out of 10), with which an attacker could execute arbitrary code on a targeted machine
• CVE-2022-26833 (CVSS score: 9.4), an authentication bug that could allow unauthorised use of the REST API

Several other high-severity flaws (CVSS score 7.5) were also discovered and patched.

CVE-2022-27169 and CVE-2022-26067 could enable an attacker to use a specially-crafted network request to obtain a directory listing at any location permissible by the underlying user, allowing possible disclosure of sensitive information.

Another bug, CVE-2022-26026, can can also be triggered by a specially crafted network request, but instead leads to a denial of service and a loss of communication.

Meanwhile, CVE-2022-26303 could allow an attacker to create an OAS user account by sending a series of network requests.

Because of the two critical flaws, as well as the types of systems in which OAS is deployed, users are urged to update their systems without delay.

Those unable to patch immediately may be able to take mitigating measures, including blocking access to the configuration port (TCP/58727 by default) when not actively configuring the OAS platform, and creating custom Security Groups and User Accounts with only the permissions necessary to complete the needed tasks.

Join us at the CyberSecurity Festival 2022, taking place across 3 days in June, where we will come together to learn, collaborate and tackle the biggest technology security challenges. Find out more and register for free