Security News > 2022 > May > Critical Flaws in Popular ICS Platform Can Trigger RCE
Critical flaws in a popular platform used by industrial control systems that allow for unauthorized device access, remote code execution or denial of service could threaten the security of critical infrastructure.
The OAS Platform is widely used in systems in which a range of disparate devices and software need to communicate, which is why it's often found in ICS to connect industrial and IoT devices, SCADA systems, network points, and custom apps and APIs, among other software and hardware.
The OAS Platform's presence in these systems is why the flaws can be incredibly dangerous, observed one security professional, noting that these devices are often those responsible for the operation of highly sensitive processes involved in critical industries like utilities and manufacturing.
"An attacker with the ability to disrupt or alter the function of those devices can inflict catastrophic damage on critical infrastructure facilities," Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel, wrote in an email to Threatpost.
Of the flaws in OAS discovered by Cisco Talos, the one with the most critical rating on the CVSS is being tracked as CVE-2022-26833, or TALOS-2022-1513.
Affected users also can mitigate the flaws by ensuring that proper network segmentation is in place which will give adversaries a low level of access to the network on which the OAS Platform communicates, researchers noted.
News URL
https://threatpost.com/critical-flaws-in-popular-ics-platform-can-trigger-rce/179750/
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Veeam warns of critical RCE bug in Service Provider Console (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-05-25 | CVE-2022-26833 | Unspecified vulnerability in Openautomationsoftware OAS Platform 16.00.0112 An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. | 9.4 |