Threat Advisory

Critical Security Vulnerabilities in Open Automation Software's OAS Platform

Threat: Vulnerability
Criticality: High

Summary:

Researchers recently disclosed eight vulnerabilities in the engine configuration functionality of Open Automation's Software Platform (OAS Platform), which is commonly used in industrial and enterprise environments. Several CVE vulnerabilities have been identified in Open Automation Software's OAS Platform v18.00.0072:

• CVE-2023-35124: This vulnerability involves an information disclosure issue in the OAS Engine configuration management functionality. Attackers can trigger it by sending a specific series of network requests, leading to the exposure of sensitive information.

• CVE-2023-34353: An authentication bypass vulnerability exists in the OAS Engine authentication functionality. By sniffing network traffic, attackers can decrypt sensitive information, potentially compromising the system's security.

• CVE-2023-32271: Similar to CVE-2023-35124, this vulnerability also pertains to information disclosure within the OAS Engine configuration management functionality, triggered by a crafted series of network requests.

• CVE-2023-31242: This vulnerability involves an authentication bypass within the OAS Engine functionality. Attackers can achieve arbitrary authentication by sending a sequence of network requests.

• CVE-2023-34998: Another authentication bypass vulnerability in the OAS Engine functionality. This allows arbitrary authentication through specially crafted network requests or by sniffing network traffic.

• CVE-2023-34317: An improper input validation vulnerability exists in the OAS Engine User Creation functionality. Attackers can manipulate network requests to introduce unexpected data into the configuration.

• CVE-2023-32615: This vulnerability concerns a file write issue in the OAS Engine configuration functionality. Attackers can create or overwrite arbitrary files by sending a specific sequence of network requests.

• CVE-2023-34994: An improper resource allocation vulnerability is present in the OAS Engine configuration management functionality. Attackers can create arbitrary directories through a crafted series of network requests.

These vulnerabilities collectively pose significant security risks to the OAS Platform v18.00.0072 and should be addressed promptly to ensure system integrity and data protection.

Recommendations:

We strongly recommend you update Open Automation Software OAS Platform to version V19.
• Download from here: https://openautomationsoftware.com/downloads/releases/

References:

The following reports contain further technical details:
https://blog.talosintelligence.com/eight-vulnerabilities-in-open-automation/

crossmenu