Security News > 2022 > May > OAS platform vulnerable to critical RCE and API access flaws
The OAS platform is a widely used data connectivity solution that unites industrial devices, SCADA systems, IoTs, network points, custom applications, custom APIs, and databases under a holistic system.
According to a report by Cisco Talos, OAS platform version 16.00.0112 and below is vulnerable to a range of high and critical severity bugs that create the potential for damaging attacks.
Starting with the most critical of the bunch, CVE-2022-26833 has a CVSS severity rating of 9.4 out of 10 and concerns the unauthenticated access and use of the REST API functionality in OAS. An attacker could trigger the exploitation of this flaw by sending a series of specially crafted HTTP requests to the vulnerable endpoints.
As Cisco explains, the REST API is designed to give programmatic access for configuration changes and data viewing to the "Default" user, which Talos researchers were able to authenticate by sending a request with a blank username and password.
The second critical flaw is CVE-2022-26082, rated at 9.1, which is a file write vulnerability in the OAS Engine SecureTransferFiles module.
Otherwise, upgrading to a more recent version of the OAS platform would be advisable.
News URL
Related news
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Critical Zimbra RCE flaw exploited to backdoor servers using emails (source)
- CISA: Network switch RCE flaw impacts critical infrastructure (source)
- Critical Ivanti RCE flaw with public exploit now used in attacks (source)
- Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast (source)
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)
- Akira and Fog ransomware now exploit critical Veeam RCE flaw (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-25 | CVE-2022-26833 | Missing Authentication for Critical Function vulnerability in Openautomationsoftware OAS Platform 16.00.0112 An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. | 9.4 |
| 2022-05-25 | CVE-2022-26082 | Missing Authentication for Critical Function vulnerability in Openautomationsoftware OAS Platform 16.00.0112 A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. | 9.8 |