Critical issues in a popular platform used by Industrial Control Systems (ICS) that allow for unauthorised device access, Remote Code Execution (RCE) or denial of service (DoS) could threaten the security of critical infrastructure.
Cisco Talos discovered 8 vulnerabilities in the Open Automation Software, 2 of them critical, that pose risk for critical infrastructure networks.
Arbitrary Code
Researcher Jared Rittle of Cisco Talos discovered a total of 8 vulnerabilities, 2 of them critical in the Open Automation Software (OAS) Platform, the most serious of which allows an attacker to execute arbitrary code on a targeted machine, according to a blog post published this week. The issues affect Open Automation Software OAS Platform, version 16.00.0112.
OAS, offered by a company of the same name makes it easy to transfer data between proprietary devices & applications, including both software & hardware.
Critical Business Processes
At its core is what’s called a Universal Data Connector, which allows the “movement & transformation of data for critical business processes like machine learning, data mining, reporting & data visualisation,” according to the OAS website.
The OAS Platform is widely used in systems in which a range of different devices & software need to communicate, which is why it’s often found in ICS to connect industrial & IoT devices, SCADA systems, network points, & custom apps & APIs, among other software & hardware. Some companies using the platform include Intel, Mack Trucks, the US Navy, JBT AeroTech & Michelin.
Critical Infrastructure at Risk
The OAS Platform’s presence in these systems is why the flaws can be incredibly dangerous, observed 1 security professional, noting that these devices are often those responsible for the operation of highly sensitive processes involved in critical industries like utilities & manufacturing.
“An attacker with the ability to disrupt or alter the function of those devices can inflict catastrophic damage on critical infrastructure facilities,” Chris Clements, VP of Solutions Architecture at security firm Cerberus Sentinel, wrote.
What can be especially dangerous in ICS attacks is that they may not be immediately obvious, which can make them hard to detect & allow them to inflict significant damage while operators are none the wiser, he stated.
Clements cited the now-infamous Stuxnet worm that propagated more than 10 years ago as an example of how much destruction an ICS threat can cause if it goes ‘under the radar.’
Stuxnet “was a case study on these risks, as it didn’t immediately break the industrial control devices it targeted but altered their function in such a way to cause critical industrial components to eventually catastrophically fail, all while falsely reporting back to monitoring systems that everything was operating normally,” he explained.
The Vulnerabilities
Of the issues in OAS discovered by Cisco Talos, the one with the most critical rating on the CVSS (9.4) is being tracked as CVE-2022-26833, or TALOS-2022-1513.
It’s an improper authentication flaw in the REST API in OAS which could allow an attacker to send a series of HTTP requests to gain unauthenticated use of the API, researchers outlined.
However, what’s being deemed by researchers as the most serious of the flaws earned a 9.1 rating on the CVSS & is being tracked as CVE-2022-26082, or TALOS-2022-1493.
High Severity
CVE-2022-26082 is a file write vulnerability in the OAS Engine SecureTransferFiles functionality that could allow an attacker to execute arbitrary code on the targeted machine through a specially crafted series of network requests.
The other vulnerabilities that Cisco Talos discovered earned ratings of high severity.
OAS Engine
The flaw that could lead to DoS is being tracked as CVE-2022-26026 or TALOS-2022-1491, & is found in the OAS Engine SecureConfigValues functionality of the platform. It can allow an attacker to create a specially crafted network request that can lead to loss of communications.
2 other vulnerabilities, CVE-2022-27169 or TALOS-2022-1494 & CVE-2022-26067 or TALOS-2022-1492, can allow an attacker to obtain a directory listing at any location permissible by the underlying user by sending a specific network request, researchers wrote.
Usernames & Passwords
Another information disclosure vulnerability tracked as CVE-2022-26077 or TALOS-2022-1490, works in the same way, researchers suggested. However, this flaw also provides the attacker with a list of usernames & passwords for the platform that could be used in future attacks, they explained.
The other 2 vulnerabilities could allow an attacker to make external configuration changes, including the ability to create a new security group and/or new user accounts arbitrarily on the platform. They are being tracked as CVE-2022-26303 or TALOS-2022-1488, & CVE-2022-26043 or TALOS-2022-1489.
Updates Urged
Cisco Talos worked with OAS to resolve the issues & urged those affected to update asap. Affected users also can mitigate the issues by ensuring that proper network segmentation is in place, which will give adversaries a low level of access to the network on which the OAS Platform communicates, researchers noted.
Although updating systems is the best way to protect against potential attacks when vulnerabilities exist, it’s not often a quick & easy task, especially for ICS operators, security experts noted.
Due to the nature of the systems, it’s an “immensely disruptive” task to take industrial systems offline, which is why ICS patches are often delayed for months or even years, Clements concluded.
