Critical Flaws in Popular ICS Platform Can Trigger RCE

Cisco Talos discovered eight vulnerabilities in the Open Automation Software, two of them critical, that pose risk for critical infrastructure networks.

Critical flaws in a popular platform used by industrial control systems (ICS) that allow for unauthorized device access, remote code execution (RCE) or denial of service (DoS) could threaten the security of critical infrastructure.

Researchers Jared Rittle of Cisco Talos discovered a total of eight vulnerabilities—two of them critical–in the Open Automation Software (OAS) Platform, the most serious of which allows an attacker to execute arbitrary code on a targeted machine, according to a blog post published this week. The flaws affect Open Automation Software OAS Platform, version 16.00.0112.Infosec Insiders Newsletter

OAS—offered by a company of the same name–makes it easy to transfer data between proprietary devices and applications, including both software and hardware. At its core is what’s called a Universal Data Connector, which allows the “movement and transformation of data for critical business processes like machine learning, data mining, reporting and data visualization,” according to the OAS website.

The OAS Platform is widely used in systems in which a range of disparate devices and software need to communicate, which is why it’s often found in ICS to connect industrial and IoT devices, SCADA systems, network points, and custom apps and APIs, among other software and hardware. Some companies using the platform include Intel, Mack Trucks, the U.S. Navy, JBT AeroTech and Michelin.

Critical Infrastructure at Risk

The OAS Platform’s presence in these systems is why the flaws can be incredibly dangerous, observed one security professional, noting that these devices are often those responsible for the operation of highly sensitive processes involved in critical industries like utilities and manufacturing.

“An attacker with the ability to disrupt or alter the function of those devices can inflict catastrophic damage on critical infrastructure facilities,” Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel, wrote in an email to Threatpost.

What can be especially dangerous in ICS attacks is that they may not be immediately obvious, which can make them hard to detect and allow them to inflict significant damage while operators are none the wiser, he said.

Clements cited the now-infamous Stuxnet worm that propagated more than 10 years ago as an example of how much destruction an ICS threat can cause if it flies under the radar.

Stuxnet “was a case study on these risks, as it didn’t immediately break the industrial control devices it targeted but altered their function in such a way to cause critical industrial components to eventually catastrophically fail, all while falsely reporting back to monitoring systems that everything was operating normally,” he said.

 The Vulnerabilities

Of the flaws in OAS discovered by Cisco Talos, the one with the most critical rating on the CVSS (9.4) is being tracked as CVE-2022-26833, or TALOS-2022-1513. It’s an improper authentication flaw in the REST API in OAS which could allow an attacker to send a series of HTTP requests to gain unauthenticated use of the API, researchers said.

However, what’s being deemed by researchers as the most serious of the flaws earned a 9.1 rating on the CVSS and is being tracked as CVE-2022-26082, or TALOS-2022-1493. CVE-2022-26082 is a file write vulnerability in the OAS Engine SecureTransferFiles functionality that could allow an attacker to execute arbitrary code on the targeted machine through a specially-crafted series of network requests.

The other vulnerabilities that Cisco Talos discovered earned ratings of high severity. The flaw that could lead to DoS is being tracked as CVE-2022-26026 or TALOS-2022-1491, and is found in the OAS Engine SecureConfigValues functionality of the platform. It can allow an attacker to create a specially-crafted network request that can lead to loss of communications.

Two other vulnerabilities, CVE-2022-27169 or TALOS-2022-1494 and CVE-2022-26067 or TALOS-2022-1492, can allow an attacker to obtain a directory listing at any location permissible by the underlying user by sending a specific network request, researchers wrote.

Another information disclosure vulnerability tracked as CVE-2022-26077 or TALOS-2022-1490, works in the same way, researchers said. However, this flaw also provides the attacker with a list of usernames and passwords for the platform that could be used in future attacks, they said.

The other two vulnerabilities could allow an attacker to make external configuration changes, including the ability to create a new security group and/or new user accounts arbitrarily on the platform. They are being tracked as CVE-2022-26303 or TALOS-2022-1488, and CVE-2022-26043 or TALOS-2022-1489.

Updates Urged, but May Take Time

Cisco Talos worked with OAS to resolve the issues and urged those affected to update as soon as possible. Affected users also can mitigate the flaws by ensuring that proper network segmentation is in place which will give adversaries a low level of access to the network on which the OAS Platform communicates, researchers noted.

Although updating systems is the best way to protect against potential attacks when vulnerabilities exist, it’s not often a quick and easy task, especially for ICS operators, security experts noted.

In fact, due to the nature of the systems, it’s an “immensely disruptive” task to take industrial systems offline, which is why ICS patches are often delayed for months or years, Clements said.

Suggested articles