IoT Security
Cisco | September 14, 2023
Cisco disclosed eight vulnerabilities in the OAS platform’s engine configuration management functionality.
Three of the eight detected vulnerabilities were rated as high-severity.
The issues detected in OAS platform v18.00.0072 were addressed and, v19 was released.
Cisco's Talos security researchers have identified eight vulnerabilities in the Open Automation Software (OAS) Platform that can be exploited to bypass authentication, disclose sensitive information, and overwrite files. The OAS Platform is commonly used to facilitate communication and data transfer between servers, industrial control systems (ICS), IoT devices, and other hardware in industrial and enterprise settings.
The OAS Platform is widely deployed in industrial operations, enterprise environments, and cross-platform integrations. It plays a crucial role in facilitating communication and data exchange across various devices and systems, facilitating logging and notifications. The vulnerabilities pose a significant security risk, especially in environments where the OAS Platform is used for critical industrial and enterprise operations. Unauthorized access and data breaches can lead to operational disruptions and potentially compromise sensitive information.
Among the eight vulnerabilities, three are rated as high-severity. Cisco's Talos security researchers were responsible for discovering and disclosing these vulnerabilities. The most critical issues are CVE-2023-31242 and CVE-2023-34998, both of which are authentication bypass flaws. CVE-2023-31242 can be triggered through a sequence of requests, while CVE-2023-34998 can be exploited by sniffing network traffic. The identified vulnerabilities in the OAS Platform mainly revolve around authentication bypass, information disclosure, and file manipulation. Attackers could leverage these weaknesses to create new users, gain unauthorized access, decrypt sensitive information, and perform arbitrary file and directory actions.
These vulnerabilities essentially allow attackers to gain unauthorized access to the system by loading and saving configurations to a disk and installing them on other devices. The issues were identified in OAS Platform version 18 and have been addressed in the subsequent release, version 19.00.0000, highlighting the importance of keeping software up-to-date to mitigate security risks.
These issues stem from the fact that when the OAS engine is deployed, by default, no admin user is defined and no authentication is required to access functionality such as new user creation. Even if an admin user is created, the configuration must be stored prior to restarting the engine, or it will revert to its default state. An attacker can create a new user, save the changes, and thus gain access to the underlying system.
Also, the vulnerability enables an attacker to acquire a protobuf containing valid admin credentials and construct their own requests. The perpetrator could then again obtain access to the underlying system by utilizing the user creation and saving functionality. Cisco warns that these authentication bypass flaws could be combined with CVE-2023-34317, an improper input validation flaw in the user creation functionality, to gain access to the underlying system by adding ‘a user with the username field containing an SSH key.’
CVE-2023-34353 is another high-severity authentication bypass that allows an attacker to perform network snooping to acquire the protobuf containing admin credentials and then decrypt sensitive information. While two of the remaining vulnerabilities could result in information disclosure, the other two could be exploited to create or overwrite arbitrary files and create arbitrary directories.
Read More
Platforms
Claranova | November 30, 2021
Sodexo, the world leader in Quality of Life services, and myDevices, Claranova group’s (Paris:CLA) Internet of Things (IoT) division, are pleased to announce a global partnership that enables Sodexo to quickly deploy a wide variety of sensor solutions to its end customers. Sodexo, a Fortune 500 company with a presence in 56 countries, is a leading provider of integrated food, facilities management and other services that enhance organizational performance, contribute to local communities and improve quality of life for millions of customers in corporate, manufacturing, education, healthcare, senior living, sports and leisure, government and other environments daily. myDevices unblocks IoT, empowering managed services providers, system integrators, ISVs1, and carriers to quickly deploy hundreds of IoT sensor solutions into any industry vertical, including hospitality, manufacturing, office environment, healthcare, education, food services, and more.
Together Sodexo and myDevices are using IoT to automate processes in a facility to impact service delivery positively. Using the latest technology to gather meaningful data helps Sodexo engage in actions that benefit occupants – from faster response to less downtime leading to increased satisfaction. Leveraging sensor data technology demonstrates Sodexo's commitment to improving facilities' staffing and operations. myDevices supports implementation by the use of their horizontal platform, providing facility teams greater control over monitored areas. Utilizing IoT for standard service delivery models in Facility Management will improve building operations and provide an exceptional occupant experience.
As every industry has experienced accelerated change in the past year, organizations are working to bridge the gap between virtual and physical workspaces while continually optimizing their operations. Sodexo has partnered with myDevices to enhance Sodexo's Vital Spaces to provide solutions that meet and exceed today – and tomorrow’s – work life demands and help reach business goals.
“Sodexo provides services to a wide range of customers that require occupancy sensors, automated people counting, electric submetering, temperature monitoring, asset condition monitoring, air quality monitoring, asset tracking and many other sensor solutions,” says William Keys MSM, Director of FM Technology Development and Innovation. “Through a single integration with myDevices, Sodexo can now easily procure hardware from hundreds of manufacturers, alongside its own in-house occupancy solutions provided by WX Solutions, deploy pre-provisioned solutions, and consolidate normalized sensor data into our back-end platforms to gather insights, improve workflows, generate work tickets and increase overall customer satisfaction.”
“We are proud to partner with Sodexo to accelerate and augment the digitization of key facility and food services. The combination of Sodexo’s world class managed services and myDevices’ Horizontal IoT offering is a perfect combination to accelerate IoT deployments in universities, office buildings, healthcare, stadiums, and other large facilities.”
Pierre Cesarini CEO of Claranova
Sodexo’s new and existing customers now have access to these sensors and solutions for their services and facilities.
About Sodexo
Founded in Marseille in 1966 by Pierre Bellon, Sodexo is the global leader in services that improve Quality of Life, an essential factor in individual and organizational performance. Operating in 56 countries, Sodexo serves 100 million consumers each day through its unique combination of On-site Services, Benefits & Rewards Services and Personal & Home Services. Sodexo provides clients an integrated offering developed over more than 50 years of experience: from food-services, reception, maintenance and cleaning, to facilities and equipment management; from services and programs fostering employees’ engagement to solutions that simplify and optimize their mobility and expenses management, to in-home assistance, childcare centers and concierge services. Sodexo’s success and performance are founded on its independence, its sustainable business model and its ability to continuously develop and engage its 412,000 employees throughout the world.
Sodexo is included in the CAC Next 20, CAC 40 ESG, FTSE 4 Good and DJSI indices
Key figures:
17.4 billion euro Fiscal 2021 consolidated revenues
412 000 employees as at August 31, 2021
#1 France-based private employer worldwide
56 countries
100 million consumers served daily
11.5 billion euro in market capitalization (as at October 26, 2021)
About Claranova
As a diversified global technology company, Claranova manages and coordinates a portfolio of majority interests in digital companies with strong growth potential. Supported by a team combining several decades of experience in the world of technology, Claranova has acquired a unique know-how in successfully turning around, creating and developing innovative companies. With average annual growth of more than 40% over the last three years and revenue of €472 million in FY 2020-2021, Claranova has proven its capacity to turn a simple idea into a worldwide success in just a few short years. Present in 15 countries and leveraging the technology expertise of nearly 800 employees across North America and Europe, Claranova is a truly international company, with 95% of its revenue derived from international markets.
Claranova’s portfolio of companies is organized into three unique technology platforms operating in all major digital sectors. As a leader in personalized e-commerce, Claranova also stands out for its technological expertise in software publishing and the Internet of Things, through its businesses PlanetArt, Avanquest and myDevices. These three technology platforms share a common vision: empowering people through innovation by providing simple and intuitive digital solutions that facilitate everyday access to the very best of technology.
Read More
Devices
Maya Labs | November 02, 2021
Maya Labs, a social initiative technology company that provides self-serve financial services infrastructure for under-served communities in the U.S and abroad, announced a strategic services partnership today with Burroughs, North America's largest independent services provider for full lifecycle management of cash automation, self-service, IoT, and other field deployed technology.
The partnership enables deployment of innovative consumer financial services via Maya's Self-Service "Smart ATM" using a Device-as-a-Service (DaaS) subscription model. The solution features Maya's Smart ATM Platform with industry leading apps including remittance, check-cashing, ATM, Bill-Pay, cellular reload and more for cash paying consumers with a predictable monthly rate. The DaaS model eliminates up-front and maintenance-related capital expenses, enabling immediate positive return on investment with 24/7 access, simple and easy UI, $0 labor expense, secure 100% accurate cash handling combined with increased foot traffic. Everything is included - making a self-service in-person turnkey bill-payment technology best-in-class customer experience - attainable virtually anywhere.
Maya Labs provides branded and private label money service business solutions via a Self-Service Smart ATM. The Maya Smart ATM delivers financial service app's from best in class financial service providers serving cash preferred communities. Maya allows customers to facilitate a variety of transaction types including cash based money transfers, bill payments, check cashing, reload cell phones, and Bitcoin. Essentially, the Maya platform is an industrial grade smartphone that accepts and dispenses cash, enabling an infinite number of possibilities for customers, partners, developers and the communities they serve.
"Burroughs has a 135-year history of helping their customers advance their cash management operations through innovation and service excellence. This partnership allows us to bring an alternative self-service solution to market while partnering with a trusted services leader like Burroughs."
Chief Business Officer Peter Kelly, Maya Labs
"We are very excited to be partnering with Maya Labs in their work to enhance financial services to under-served communities and address the growing consumer preference for a self-service experience. Their disruptive, scalable, and innovative solution combined with Burroughs' technology expertise and comprehensive service coverage will enable fast deployment, market-leading device up-time, delivered through an existing, proven, digital-first services model that will ensure an optimized customer experience," said Anson Martin, Burroughs CEO.
About Maya Labs
Maya is a social initiative technology company that provides branded and private label financial services infrastructure for under-served communities in the U.S and abroad. Maya provides fast, convenient, and low-cost financial services via a Platform as a Service model with a self-service kiosk that allows people to cash checks, pay virtually any bill via CheckFreePay in the US (e.g., utility), transfer money to 200,000 international pick-up locations via Sigue, buy Bitcoin via Digital Mint and purchase mobile airtime. The company supports all compliance and regulatory aspects of the service, offering retailers a complete turnkey solution to reduce operating costs and increase foot traffic.
About Burroughs
Burroughs is the largest independent services provider in North America for the full lifecycle management of cash automation, self-service, IoT, and other technology investments. Burroughs has 135-year history of helping customers advance their operations through a digital-first approach supported by innovation, collaboration, agility, service excellence, and investment in our people.
Read More