Open Automation Software plugs holes in industrial platform

By

Default user restricted.

The industrial data exchange platform Open Automation Software (OAS) issued a suite of security patches over the weekend.

Open Automation Software plugs holes in industrial platform

The widely-deployed OAS provides data connectors between different vendors’ industrial systems, as well as providing both connectors and programmatic interfaces for upstream IT systems.

Announcing its security update, the organisation says OAS is now protecting against unauthorised access and packet spoofing, and includes updated encryption and “new client server handshaking for packet validation”.

The vulnerabilities were discovered by Cisco Talos, which published a detailed advisory last week.

The two most serious bugs are CVE-2022-26082 and CVE-2022-26833.

The most serious bug is CVE-2022-26082, with a Common Vulnerability Scoring System score of 9.8.

Talos’ advisory says: “A specially-crafted series of network requests can lead to remote code execution. An attacker can send a sequence of requests to trigger this vulnerability.”

“It is possible to upload an arbitrary file to any location permissible by the underlying user,” the advisory continues.

“By default these messages can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.”

The advisory for CVE-2022-26833 (CVSS score 9.4) explains that OSA ships with a REST API on port 58725.

A default user of the API, with blank username and password, is enabled out of the box. Talos says an attacker can: 

  • Read the existing configuration, usernames, and groups through use of the options, users, and security GET endpoints;
  • Create a new security group and user with greater permissions than the default user through use of the users and security POST endpoints; and
  • Change the port on which various OAS services listen through use of the options POST endpoint.

If an administrator can’t patch the system, Talos advises that the default user be “stripped of all permissions”.

Talos disclosed three lower-rated bugs in its advisory. 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Qantas obtains court order to prevent third-party access to stolen data

Qantas obtains court order to prevent third-party access to stolen data

Cloudflare makes changes to avoid repeat of 1.1.1.1 DNS outage

Cloudflare makes changes to avoid repeat of 1.1.1.1 DNS outage

CBA using facial recognition logins to verify disputed payments

CBA using facial recognition logins to verify disputed payments

Researchers demo AI-crippling GPUHammer attack

Researchers demo AI-crippling GPUHammer attack

Log In

  |  Forgot your password?