Cisco Talos recently disclosed eight vulnerabilities in the engine configuration functionality in Open Automation’s Software Platform.
OAS Platform is commonly found in industrial operations and enterprise environments. It allows various devices, including PLCs, servers, files, databases and internet-of-things platforms to communicate with one another and share data when they otherwise would be unable to because of their various protocols.
The vulnerabilities Talos disclosed on Sept. 5 all exist inside the OAS Platform’s Engine configuration management functionality. Through the configuration tool, users can load or save a set of configurations to a disk and install it on other devices.
TALOS-2023-1775 (CVE-2023-35124), TALOS-2023-1776 (CVE-2023-34353) and TALOS-2023-1774 (CVE-2023-32271) can all lead to the disclosure or decryption of sensitive information on the targeted device.
TALOS-2023-1769 (CVE-2023-31242) and TALOS-2023-1770 (CVE-2023-34998) could also allow an adversary to gain access to the OAS Platform system if they send a specially crafted set of network requests. TALOS-2023-1772 (CVE-2023-34317) can also be triggered if the adversary exploits one of the two previously mentioned to authenticate into the system. Lastly, TALOS-2023-1771 (CVE-2023-32615) fits into this attack chain after an adversary authenticates in, allowing them to overwrite or create a new file on behalf of the logged-in OAS user.
TALOS-2023-1773 (CVE-2023-34994) inherently exists in the software, because any user who is not authorized on the underlying system can create new directories anywhere that the underlying OAS user system account has access to, thus allowing the unauthorized user to create new, unwanted directories.
This means that an application user who is not authorized on the underlying system is capable of creating new directories anywhere that the underlying OAS user system account has access.
Talos worked with Open Automation to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.
For Snort coverage (SIDs 61991 - 61994, 62003 and 62004) that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.