Home > News > Top Stories > 8 Vulnerabilities in OAS Platform for IoT Data, Detected by Cisco

IoT Security

8 Vulnerabilities in OAS Platform for IoT Data, Detected by Cisco

8 Vulnerabilities Detected by Cisco in OAS Industrial Platform

  • Cisco disclosed eight vulnerabilities in the OAS platform’s engine configuration management functionality.

  • Three of the eight detected vulnerabilities were rated as high-severity.

  • The issues detected in OAS platform v18.00.0072 were addressed and, v19 was released.

Cisco's Talos security researchers have identified eight vulnerabilities in the Open Automation Software (OAS) Platform that can be exploited to bypass authentication, disclose sensitive information, and overwrite files. The OAS Platform is commonly used to facilitate communication and data transfer between servers, industrial control systems (ICS), IoT devices, and other hardware in industrial and enterprise settings.

The OAS Platform is widely deployed in industrial operations, enterprise environments, and cross-platform integrations. It plays a crucial role in facilitating communication and data exchange across various devices and systems, facilitating logging and notifications. The vulnerabilities pose a significant security risk, especially in environments where the OAS Platform is used for critical industrial and enterprise operations. Unauthorized access and data breaches can lead to operational disruptions and potentially compromise sensitive information.

Among the eight vulnerabilities, three are rated as high-severity. Cisco's Talos security researchers were responsible for discovering and disclosing these vulnerabilities. The most critical issues are CVE-2023-31242 and CVE-2023-34998, both of which are authentication bypass flaws. CVE-2023-31242 can be triggered through a sequence of requests, while CVE-2023-34998 can be exploited by sniffing network traffic. The identified vulnerabilities in the OAS Platform mainly revolve around authentication bypass, information disclosure, and file manipulation. Attackers could leverage these weaknesses to create new users, gain unauthorized access, decrypt sensitive information, and perform arbitrary file and directory actions.

These vulnerabilities essentially allow attackers to gain unauthorized access to the system by loading and saving configurations to a disk and installing them on other devices. The issues were identified in OAS Platform version 18 and have been addressed in the subsequent release, version 19.00.0000, highlighting the importance of keeping software up-to-date to mitigate security risks.

These issues stem from the fact that when the OAS engine is deployed, by default, no admin user is defined and no authentication is required to access functionality such as new user creation. Even if an admin user is created, the configuration must be stored prior to restarting the engine, or it will revert to its default state. An attacker can create a new user, save the changes, and thus gain access to the underlying system.

Also, the vulnerability enables an attacker to acquire a protobuf containing valid admin credentials and construct their own requests. The perpetrator could then again obtain access to the underlying system by utilizing the user creation and saving functionality. Cisco warns that these authentication bypass flaws could be combined with CVE-2023-34317, an improper input validation flaw in the user creation functionality, to gain access to the underlying system by adding ‘a user with the username field containing an SSH key.’

CVE-2023-34353 is another high-severity authentication bypass that allows an attacker to perform network snooping to acquire the protobuf containing admin credentials and then decrypt sensitive information. While two of the remaining vulnerabilities could result in information disclosure, the other two could be exploited to create or overwrite arbitrary files and create arbitrary directories.

Spotlight

More featured news

Spotlight

Related News

Enterprise Iot

Lexmark Named 2023 Managed Print Services Leader by Quocirca

PR Newswire | October 06, 2023

Lexmark, a global imaging and IoT solutions leader, today announced it has again been named a leader in Managed Print Services (MPS) by global print and market insight research firm Quocirca. This is the 11th consecutive year in which Lexmark has earned this recognition. In its Managed Print Services Market Landscape 2023 report, Quocirca highlights Lexmark's industry expertise, deep sustainability focus, and comprehensive security approach. It also recognizes Lexmark's small and medium businesses (SMB) MPS offering which was expanded in February 2023 with the launch of MPS Express, a solution for SMBs to streamline their document management processes and free them from day-to-day printer management. Quocirca Director Louella Fernandes said, "Lexmark has a strong heritage in global MPS delivery, particularly excelling in supporting distributed print environments. Its deep vertical industry expertise, mature sustainability focus and comprehensive security approach differentiate Lexmark and ensure its position as an industry leader." In naming Lexmark a market leader, the report recognizes Lexmark's: Mature predictive analytics expertise which leverages artificial intelligence and machine learning technologies to support its sensor monitoring and predictive algorithms. Security-led MPS approach which goes beyond the device, providing customers with a deep understanding of print network security. Smart Refresh lifecycle management program, which uses performance and usage data to reduce waste by only replacing printers and MFPs at the end of their lifecycle. Portfolio of cloud solutions and services, including Cloud Bridge technology which enables many devices and fleet environments to simply, securely and flexibly connect to Lexmark cloud infrastructure. Workflow automation partnerships which form the Lexmark MPS alliance ecosystem, enabling customers to leverage solutions to simplify device management and streamline productivity and output environment from a single source. Recently expanded MPS offerings for the SMB market. Quocirca reports that MPS customers expect strong expertise across cybersecurity, cloud offerings and sustainability, and finds Lexmark well positioned to provide all three. Being recognized once again as a global MPS leader by Quocirca validates our efforts to provide our customers with industry leading technologies and services, said Melanie Hudson, Senior Vice President and Chief Commercial Officer, Lexmark. This year Quocirca has also recognized Lexmark as a leader in its Global Print Security Vendor Landscape report and Cloud Print Services Market Landscape.

Read More

Devices

Keysight, Synopsys Collaborate to Offer Cybersecurity to IoT Devices

Keysight Technologies | September 22, 2023

Keysight Technologies collaborates with Synopsys to offer IoT device manufacturers a comprehensive cybersecurity assessment solution. Synopsys' Defensics fuzzing tool will be integrated into the Keysight IoT Security Assessment solution. The partnership aims to enhance IoT device security as the market experiences rising cybersecurity threats. Keysight Technologies, a leading company providing design, emulation, and test solutions, and Synopsys are joining forces to provide a robust cybersecurity assessment solution for IoT device manufacturers, ensuring the security of devices before they reach the market. In this collaborative effort, Synopsys' Defensics fuzzing tool will be integrated into the Keysight IoT Security Assessment solution. Keysight Technologies serves various markets, including communications, industrial automation, aerospace and defense, automotive, semiconductor, and general electronics, by enabling innovation and connectivity. The addition of Synopsys' Defensics to the Keysight IoT Security Assessment solution provides a comprehensive toolset for assessing device security. It combines known vulnerability assessments with a versatile fuzzer capable of analyzing over 300 technology protocols used across diverse industries. This enables rapid testing for unknown vulnerabilities and weaknesses. The solution detects security flaws while identifying potential exploits arising from weak authentication and encryption, expired certificates, android vulnerabilities, protocol stack flaws, and common vulnerabilities and exposures (CVEs), including Bluetooth Low Energy attacks like Sweyntooth and Braktooth. The global IoT device market is witnessing substantial growth and is projected to reach a market value of $413.7 billion by 2031. Whereas, the vulnerabilities of IoT devices make them prime targets for cyberattacks, with 57% of these devices at risk of medium or high-severity attacks, as reported by Palo Alto Networks IoT Threat Report. Ram Periakaruppan, Vice President and General Manager of Network Test and Security Solutions at Keysight, stressed that securing IoT devices has become increasingly challenging for manufacturers. By partnering with Synopsys and integrating their fuzzing tool, Keysight offers a unified security testing solution that identifies previously unknown protocol stack vulnerabilities while assessing devices for known threats, all through a single, user-friendly interface. Keysight's IoT Security Assessment solution simplifies and economizes IoT device testing, making it easier for manufacturers to meet the new White House Cyber Trust Mark certification when it becomes available. This turnkey cybersecurity certification platform offers automated validation through a user-friendly interface, allowing device makers to expedite the launch of new IoT products without the need for an extensive team of cybersecurity experts. Scott Johnson, Vice President of Product Management at Synopsys Software Integrity Group, emphasized the critical nature of security testing for IoT devices. He highlighted that their collaboration with Keysight will provide customers with a comprehensive solution that combines hardware and Defensics fuzz testing software for automated IoT security testing. This partnership comes at a crucial time when IoT device security is paramount, given the escalating demand for new devices and functionalities.

Read More

Enterprise Iot

GlobalFoundries® and Microchip Announce Microchip’s 28-nm SuperFlash® Embedded Flash Memory Solution in Production

GlobeNewswire | October 04, 2023

GlobalFoundries (GF®) (Nasdaq: GFS) and Microchip Technology (Nasdaq: MCHP), via Microchip’s Silicon Storage Technology® (SST®) subsidiary, today announces the immediate release to production of the SST ESF3 third-generation embedded SuperFlash technology NVM solution in the GF 28SLPe foundry process. GF has established a new industry benchmark for implementing SST’s widely deployed ESF3 SuperFlash technology. This implementation delivers the following capabilities and benefits: Lowest cost 28-nm HKMG ESF3 solution with only 10 masks added, including true 5V IO CMOS devices Highly competitive SST ESF3 bit cell size of less than 0.05 micron squared Operating temperature rating of −40°C to 125°C Sub-25 nanosecond (ns) read access times, 10-microsecond program times and four millisecond erase times Endurance exceeding 100,000 program/erase cycles No impact to design flows using GF 28SLPe platform-qualified IP (EG flow) Immediate availability of off-the-shelf macros from four megabits (Mb) to 32 Mb Access to custom macro design support from SST or GF Use cases for embedded flash are exploding with the drive for increased intelligence at the edge. Embedded memory for secure code storage, over-the-air-updates and enhanced functionality is on the rise in a wide range of applications in home and industrial IoT as well as smart mobile devices. Innovative platforms are required to meet these needs. GF is proud to partner with SST to develop, qualify and release to production this impressive embedded NVM solution on our robust 28SLPe platform, said Mike Hogan, chief business unit officer at GF. GF’s customers are finding this combination of high performance, excellent reliability, IP availability and cost effectiveness to be ideal for advanced MCUs, complex smart cards and IoT chips for consumer and industrial products. “SST and GF have partnered closely over the last decade to integrate and productize SST’s industry-standard ESF1 and ESF3 embedded Flash technologies into GF’s 130-nm BCD, 55-nm, 40-nm, and now 28-nm foundry platforms,” added Mark Reiten, vice president of SST, Microchip’s licensing business unit. “We are excited by the leadership position GF is establishing for the broadest offering of embedded NVM solutions and expect our close partnership to deliver additional breakthroughs over the coming decade.” SST is exhibiting its embedded Flash technology in the IP partner area during today’s GF GTS Summit in Munich. Customers interested in GF’s ESF1 and ESF3 platform solutions should access the GF website located at www.gf.com/technology-platforms and contact the company for more information at www.gf.com/about-us/contact-us. Customers interested in SST’s ESF1, ESF3 or SuperFlash® technology memBrain™ neuromorphic memory solution IP offerings should contact info@sst.com or the appropriate regional contact listed on the SST website.

Read More

Enterprise Iot

Lexmark Named 2023 Managed Print Services Leader by Quocirca

PR Newswire | October 06, 2023

Lexmark, a global imaging and IoT solutions leader, today announced it has again been named a leader in Managed Print Services (MPS) by global print and market insight research firm Quocirca. This is the 11th consecutive year in which Lexmark has earned this recognition. In its Managed Print Services Market Landscape 2023 report, Quocirca highlights Lexmark's industry expertise, deep sustainability focus, and comprehensive security approach. It also recognizes Lexmark's small and medium businesses (SMB) MPS offering which was expanded in February 2023 with the launch of MPS Express, a solution for SMBs to streamline their document management processes and free them from day-to-day printer management. Quocirca Director Louella Fernandes said, "Lexmark has a strong heritage in global MPS delivery, particularly excelling in supporting distributed print environments. Its deep vertical industry expertise, mature sustainability focus and comprehensive security approach differentiate Lexmark and ensure its position as an industry leader." In naming Lexmark a market leader, the report recognizes Lexmark's: Mature predictive analytics expertise which leverages artificial intelligence and machine learning technologies to support its sensor monitoring and predictive algorithms. Security-led MPS approach which goes beyond the device, providing customers with a deep understanding of print network security. Smart Refresh lifecycle management program, which uses performance and usage data to reduce waste by only replacing printers and MFPs at the end of their lifecycle. Portfolio of cloud solutions and services, including Cloud Bridge technology which enables many devices and fleet environments to simply, securely and flexibly connect to Lexmark cloud infrastructure. Workflow automation partnerships which form the Lexmark MPS alliance ecosystem, enabling customers to leverage solutions to simplify device management and streamline productivity and output environment from a single source. Recently expanded MPS offerings for the SMB market. Quocirca reports that MPS customers expect strong expertise across cybersecurity, cloud offerings and sustainability, and finds Lexmark well positioned to provide all three. Being recognized once again as a global MPS leader by Quocirca validates our efforts to provide our customers with industry leading technologies and services, said Melanie Hudson, Senior Vice President and Chief Commercial Officer, Lexmark. This year Quocirca has also recognized Lexmark as a leader in its Global Print Security Vendor Landscape report and Cloud Print Services Market Landscape.

Read More

Devices

Keysight, Synopsys Collaborate to Offer Cybersecurity to IoT Devices

Keysight Technologies | September 22, 2023

Keysight Technologies collaborates with Synopsys to offer IoT device manufacturers a comprehensive cybersecurity assessment solution. Synopsys' Defensics fuzzing tool will be integrated into the Keysight IoT Security Assessment solution. The partnership aims to enhance IoT device security as the market experiences rising cybersecurity threats. Keysight Technologies, a leading company providing design, emulation, and test solutions, and Synopsys are joining forces to provide a robust cybersecurity assessment solution for IoT device manufacturers, ensuring the security of devices before they reach the market. In this collaborative effort, Synopsys' Defensics fuzzing tool will be integrated into the Keysight IoT Security Assessment solution. Keysight Technologies serves various markets, including communications, industrial automation, aerospace and defense, automotive, semiconductor, and general electronics, by enabling innovation and connectivity. The addition of Synopsys' Defensics to the Keysight IoT Security Assessment solution provides a comprehensive toolset for assessing device security. It combines known vulnerability assessments with a versatile fuzzer capable of analyzing over 300 technology protocols used across diverse industries. This enables rapid testing for unknown vulnerabilities and weaknesses. The solution detects security flaws while identifying potential exploits arising from weak authentication and encryption, expired certificates, android vulnerabilities, protocol stack flaws, and common vulnerabilities and exposures (CVEs), including Bluetooth Low Energy attacks like Sweyntooth and Braktooth. The global IoT device market is witnessing substantial growth and is projected to reach a market value of $413.7 billion by 2031. Whereas, the vulnerabilities of IoT devices make them prime targets for cyberattacks, with 57% of these devices at risk of medium or high-severity attacks, as reported by Palo Alto Networks IoT Threat Report. Ram Periakaruppan, Vice President and General Manager of Network Test and Security Solutions at Keysight, stressed that securing IoT devices has become increasingly challenging for manufacturers. By partnering with Synopsys and integrating their fuzzing tool, Keysight offers a unified security testing solution that identifies previously unknown protocol stack vulnerabilities while assessing devices for known threats, all through a single, user-friendly interface. Keysight's IoT Security Assessment solution simplifies and economizes IoT device testing, making it easier for manufacturers to meet the new White House Cyber Trust Mark certification when it becomes available. This turnkey cybersecurity certification platform offers automated validation through a user-friendly interface, allowing device makers to expedite the launch of new IoT products without the need for an extensive team of cybersecurity experts. Scott Johnson, Vice President of Product Management at Synopsys Software Integrity Group, emphasized the critical nature of security testing for IoT devices. He highlighted that their collaboration with Keysight will provide customers with a comprehensive solution that combines hardware and Defensics fuzz testing software for automated IoT security testing. This partnership comes at a crucial time when IoT device security is paramount, given the escalating demand for new devices and functionalities.

Read More

Enterprise Iot

GlobalFoundries® and Microchip Announce Microchip’s 28-nm SuperFlash® Embedded Flash Memory Solution in Production

GlobeNewswire | October 04, 2023

GlobalFoundries (GF®) (Nasdaq: GFS) and Microchip Technology (Nasdaq: MCHP), via Microchip’s Silicon Storage Technology® (SST®) subsidiary, today announces the immediate release to production of the SST ESF3 third-generation embedded SuperFlash technology NVM solution in the GF 28SLPe foundry process. GF has established a new industry benchmark for implementing SST’s widely deployed ESF3 SuperFlash technology. This implementation delivers the following capabilities and benefits: Lowest cost 28-nm HKMG ESF3 solution with only 10 masks added, including true 5V IO CMOS devices Highly competitive SST ESF3 bit cell size of less than 0.05 micron squared Operating temperature rating of −40°C to 125°C Sub-25 nanosecond (ns) read access times, 10-microsecond program times and four millisecond erase times Endurance exceeding 100,000 program/erase cycles No impact to design flows using GF 28SLPe platform-qualified IP (EG flow) Immediate availability of off-the-shelf macros from four megabits (Mb) to 32 Mb Access to custom macro design support from SST or GF Use cases for embedded flash are exploding with the drive for increased intelligence at the edge. Embedded memory for secure code storage, over-the-air-updates and enhanced functionality is on the rise in a wide range of applications in home and industrial IoT as well as smart mobile devices. Innovative platforms are required to meet these needs. GF is proud to partner with SST to develop, qualify and release to production this impressive embedded NVM solution on our robust 28SLPe platform, said Mike Hogan, chief business unit officer at GF. GF’s customers are finding this combination of high performance, excellent reliability, IP availability and cost effectiveness to be ideal for advanced MCUs, complex smart cards and IoT chips for consumer and industrial products. “SST and GF have partnered closely over the last decade to integrate and productize SST’s industry-standard ESF1 and ESF3 embedded Flash technologies into GF’s 130-nm BCD, 55-nm, 40-nm, and now 28-nm foundry platforms,” added Mark Reiten, vice president of SST, Microchip’s licensing business unit. “We are excited by the leadership position GF is establishing for the broadest offering of embedded NVM solutions and expect our close partnership to deliver additional breakthroughs over the coming decade.” SST is exhibiting its embedded Flash technology in the IP partner area during today’s GF GTS Summit in Munich. Customers interested in GF’s ESF1 and ESF3 platform solutions should access the GF website located at www.gf.com/technology-platforms and contact the company for more information at www.gf.com/about-us/contact-us. Customers interested in SST’s ESF1, ESF3 or SuperFlash® technology memBrain™ neuromorphic memory solution IP offerings should contact info@sst.com or the appropriate regional contact listed on the SST website.

Read More

More featured news