Multiple vulnerabilities in the Open Automation Software (OAS) Platform can be exploited to bypass authentication, leak sensitive information, and overwrite files, Cisco warns.
Enabling communication and data transfer between servers, industrial control systems (ICS), IoT, and other types of devices, the OAS Platform is typically used in industrial operations and enterprise environments. It also supports logging and notifications, and cross-platform integrations.
On Wednesday, Cisco’s Talos security researchers disclosed eight vulnerabilities identified in the OAS Platform’s engine configuration management functionality, which allows users to load and save configurations to a disk and install them on other devices. Three of the bugs are rated high-severity.
The most important of these are CVE-2023-31242 and CVE-2023-34998, two authentication bypass flaws that can be exploited using specially-crafted requests. The first can be triggered using a sequence of requests, while the second through sniffing network traffic.
The first issue is rooted in the fact that, by default, when the OAS engine is installed, no admin user is set and no authentication is required to access functionality such as new user creation. Even if an admin user is created, the configuration needs to be saved before the engine restarts, otherwise it will revert to default.
An attacker could use special requests to check if unauthenticated access is possible and could then create new users, save the configuration, and potentially gain access to the underlying system.
The second flaw allows an attacker to capture a protobuf containing valid administrator credentials and use it to create their own requests. The attacker could then access the user creation and save functionality to gain access to the underlying system.
These authentication bypass flaws, Cisco warns, could be combined with CVE-2023-34317, an improper input validation bug in the user creation functionality, to add “a user with the username field containing an SSH key,” to gain access to the underlying system.
Another high-severity authentication bypass, CVE-2023-34353, allows an attacker to perform network sniffing to capture the protobuf containing admin credentials and then decrypt sensitive information.
Two of the remaining vulnerabilities could lead to information disclosure, while the other two may be exploited for arbitrary file creation or overwrite and for arbitrary directory creation.
All issues were identified in OAS Platform version 18 and were addressed with the release of version 19.00.0000 of the solution.