Security News > 2022 > May > OAS platform vulnerable to critical RCE and API access flaws

OAS platform vulnerable to critical RCE and API access flaws
2022-05-26 19:11

The OAS platform is a widely used data connectivity solution that unites industrial devices, SCADA systems, IoTs, network points, custom applications, custom APIs, and databases under a holistic system.

According to a report by Cisco Talos, OAS platform version 16.00.0112 and below is vulnerable to a range of high and critical severity bugs that create the potential for damaging attacks.

Starting with the most critical of the bunch, CVE-2022-26833 has a CVSS severity rating of 9.4 out of 10 and concerns the unauthenticated access and use of the REST API functionality in OAS. An attacker could trigger the exploitation of this flaw by sending a series of specially crafted HTTP requests to the vulnerable endpoints.

As Cisco explains, the REST API is designed to give programmatic access for configuration changes and data viewing to the "Default" user, which Talos researchers were able to authenticate by sending a request with a blank username and password.

The second critical flaw is CVE-2022-26082, rated at 9.1, which is a file write vulnerability in the OAS Engine SecureTransferFiles module.

Otherwise, upgrading to a more recent version of the OAS platform would be advisable.


News URL

https://www.bleepingcomputer.com/news/security/oas-platform-vulnerable-to-critical-rce-and-api-access-flaws/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-05-25 CVE-2022-26833 Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112
An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121.
network
low complexity
openautomationsoftware
critical
9.4
2022-05-25 CVE-2022-26082 Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112
A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112.
network
low complexity
openautomationsoftware
critical
9.8