Open Automation Software plugs holes in industrial platform

The industrial data exchange platform Open Automation Software (OAS) issued a suite of security patches over the weekend.

The widely-deployed OAS provides data connectors between different vendors’ industrial systems, as well as providing both connectors and programmatic interfaces for upstream IT systems.

Announcing its security update, the organisation says OAS is now protecting against unauthorised access and packet spoofing, and includes updated encryption and “new client server handshaking for packet validation”.

The vulnerabilities were discovered by Cisco Talos, which published a detailed advisory last week.

The two most serious bugs are CVE-2022-26082 and CVE-2022-26833.

The most serious bug is CVE-2022-26082, with a Common Vulnerability Scoring System score of 9.8.

Talos’ advisory says: “A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.”

“It is possible to upload an arbitrary file to any location permissible by the underlying user,” the advisory continues.

“By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.”

The advisory for CVE-2022-26833 (CVSS score 9.4) explains that OSA ships with a REST API on port 58725.

A default user of the API, with blank username and password, is enabled out of the box. Talos says an attacker can: 

• Read the existing configuration, usernames, and groups through use of the options, users, and security GET endpoints;
• Create a new security group and user with greater permissions than the default user through use of the users and security POST endpoints; and
• Change the port on which various OAS services listen through use of the options POST endpoint.

If an administrator can’t patch the system, Talos advises that the default user be “stripped of all permissions”.

Talos disclosed three lower-rated bugs in its advisory.