Vulnerabilities in the Open Automation Software (OAS) platform have been reported by threat researchers, allowing device access, denial of service, and remote code execution.

Michelin, Volvo, Intel, JBT AeroTech, the United States Navy, Dart Oil and Gas, General Dynamics, AES Wind Generation, and many other high-profile industrial firms employ OAS.

As a result, platform vulnerabilities can put critical industrial sectors at risk of disruption and secret information leakage.

According to a Cisco Talos assessment, OAS platform versions 16.00.0112 and below are vulnerable to a number of high and critical severity flaws that might lead to devastating attacks.

CVE-2022-26833, the most serious of the lot, has a CVSS severity rating of 9.4 out of 10 and concerns unauthenticated access and usage of the REST API capability in OAS.

An attacker might exploit this vulnerability by sending a series of specially crafted HTTP queries to the compromised endpoints.

According to Cisco Talos, the REST API is intended to grant programmatic access to the "Default" user for configuration changes and data viewing, which Talos researchers were able to authenticate by submitting a request with a blank username and password.

A second critical vulnerability tracked as CVE-2022-26082, with a severity score of 9.1, is a file write vulnerability in the OAS Engine SecureTransferFiles module.

Cisco also highlighted a specially designed set of network requests sent to vulnerable endpoints that may have resulted in arbitrary remote code execution.

"It is possible to upload an arbitrary file to any place permissible by the underlying user by sending a sequence of correctly prepared setup messages to the OAS Platform." These messages can be sent to TCP/58727 by default, and if successful, will be handled by the user OAS with standard user permissions." - Talos Cisco

This allows a remote threat actor to upload fresh authorized_keys files to the oas user's.ssh directory, allowing ssh commands to be used to access the system.

Cisco Talos has discovered additional flaws categorized under high-severity (CVSS: 7.5):

• CVE-2022-27169: obtain directory listing via network requests
• CVE-2022-26077: information disclosure targeting account credentials
• CVE-2022-26026: denial of service and loss of data links
• CVE-2022-26303 & CVE-2022-26043: external configuration changes and creation of new users and security groups

Mitigation steps for addressing each of the vulnerabilities are provided by Cisco, which include deactivating services and shutting communication ports, so if updating to a newer version of OAS is not an option, there may be a solution with some functionality or convenience trade-offs.

Otherwise, it is also recommended to upgrade to a more recent version of the OAS platform. The security solutions for the two serious issues outlined above were included in version 16.00.0.113, which was issued on May 22, 2022, as a security update.

Upgrade lags are to be expected in industrial contexts that use elaborate and extensive data networking systems, but in this situation, due to the seriousness of the reported faults, fast action is required.