Cisco disclosed eight vulnerabilities in the OAS platform’s engine configuration management functionality.
Three of the eight detected vulnerabilities were rated as high-severity.
The issues detected in OAS platform v18.00.0072 were addressed and, v19 was released.
Cisco's Talos security researchers have identified eight vulnerabilities in the Open Automation Software (OAS) Platform that can be exploited to bypass authentication, disclose sensitive information, and overwrite files. The OAS Platform is commonly used to facilitate communication and data transfer between servers, industrial control systems (ICS), IoT devices, and other hardware in industrial and enterprise settings.
The OAS Platform is widely deployed in industrial operations, enterprise environments, and cross-platform integrations. It plays a crucial role in facilitating communication and data exchange across various devices and systems, facilitating logging and notifications. The vulnerabilities pose a significant security risk, especially in environments where the OAS Platform is used for critical industrial and enterprise operations. Unauthorized access and data breaches can lead to operational disruptions and potentially compromise sensitive information.
Among the eight vulnerabilities, three are rated as high-severity. Cisco's Talos security researchers were responsible for discovering and disclosing these vulnerabilities. The most critical issues are CVE-2023-31242 and CVE-2023-34998, both of which are authentication bypass flaws. CVE-2023-31242 can be triggered through a sequence of requests, while CVE-2023-34998 can be exploited by sniffing network traffic. The identified vulnerabilities in the OAS Platform mainly revolve around authentication bypass, information disclosure, and file manipulation. Attackers could leverage these weaknesses to create new users, gain unauthorized access, decrypt sensitive information, and perform arbitrary file and directory actions.
These vulnerabilities essentially allow attackers to gain unauthorized access to the system by loading and saving configurations to a disk and installing them on other devices. The issues were identified in OAS Platform version 18 and have been addressed in the subsequent release, version 19.00.0000, highlighting the importance of keeping software up-to-date to mitigate security risks.
These issues stem from the fact that when the OAS engine is deployed, by default, no admin user is defined and no authentication is required to access functionality such as new user creation. Even if an admin user is created, the configuration must be stored prior to restarting the engine, or it will revert to its default state. An attacker can create a new user, save the changes, and thus gain access to the underlying system.
Also, the vulnerability enables an attacker to acquire a protobuf containing valid admin credentials and construct their own requests. The perpetrator could then again obtain access to the underlying system by utilizing the user creation and saving functionality. Cisco warns that these authentication bypass flaws could be combined with CVE-2023-34317, an improper input validation flaw in the user creation functionality, to gain access to the underlying system by adding ‘a user with the username field containing an SSH key.’
CVE-2023-34353 is another high-severity authentication bypass that allows an attacker to perform network snooping to acquire the protobuf containing admin credentials and then decrypt sensitive information. While two of the remaining vulnerabilities could result in information disclosure, the other two could be exploited to create or overwrite arbitrary files and create arbitrary directories.