Security News > 2022 > May > OAS platform vulnerable to critical RCE and API access flaws
The OAS platform is a widely used data connectivity solution that unites industrial devices, SCADA systems, IoTs, network points, custom applications, custom APIs, and databases under a holistic system.
According to a report by Cisco Talos, OAS platform version 16.00.0112 and below is vulnerable to a range of high and critical severity bugs that create the potential for damaging attacks.
Starting with the most critical of the bunch, CVE-2022-26833 has a CVSS severity rating of 9.4 out of 10 and concerns the unauthenticated access and use of the REST API functionality in OAS. An attacker could trigger the exploitation of this flaw by sending a series of specially crafted HTTP requests to the vulnerable endpoints.
As Cisco explains, the REST API is designed to give programmatic access for configuration changes and data viewing to the "Default" user, which Talos researchers were able to authenticate by sending a request with a blank username and password.
The second critical flaw is CVE-2022-26082, rated at 9.1, which is a file write vulnerability in the OAS Engine SecureTransferFiles module.
Otherwise, upgrading to a more recent version of the OAS platform would be advisable.
News URL
Related news
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks (source)
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation (source)
- Critical RCE bug in Microsoft Outlook now exploited in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-05-25 | CVE-2022-26833 | Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112 An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. | 9.4 |
| 2022-05-25 | CVE-2022-26082 | Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112 A file write vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software OAS Platform V16.00.0112. | 9.8 |