Security researchers from cybersecurity firm Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software (OAS) Platform.
Vulnerabilities in the Open Automation Software Platform (CVE-2022-26082)
The vulnerabilities could be used in various attacks, including denial-of-service caused by improper authentication. The OAS platform aids the simplified data transfer between proprietary devices and applications (both software and hardware).
CVE-2022-26082 is one of the most severe issues, potentially allowing a threat actor to execute arbitrary code on the vulnerable device. The flaw has a severity score of 9.1 out of 10 according to the CVSS scale. The other vulnerability that scored high on the CVSS scale (9.4) is CVE-2022-26833, potentially leading to unauthenticated use of the REST API.
Two other flaws could enable threat actors to get hold of directory listing at any location with permissions by the user, which could be done by sending a specific network request. These vulnerabilities have been assigned CVE-2022-27169 and CVE-2022-26067.
The rest of the flaws include:
- CVE-2022-26077 – an information disclosure issue that could provide an attacker with a list of usernames and passwords;
- CVE-2022-26026 – a denial-of-service issue that could be triggered by a specially crafted network request;
- CVE-2022-26303 and CVE-2022-26043 – these could allow threat actors to make external configuration changes, such as creating a new security group on the platform and creating new user accounts in an arbitrary manner.
“Cisco Talos worked with Open Automation Software to ensure that these issues are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy,” the official advisory said. As an optional mitigation, users can ensure that proper network segmentation is in place.
Affected products should be updated immediately to Open Automation Software OAS Platform, version 16.00.0112.