A researcher at Cisco’s Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.
The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations’ industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.
Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.
The vulnerabilities are just the latest cyber threat in an industrial sector that has become a larger target for bad actors in recent years, as illustrated by such high-profile ransomware attacks on companies like energy provider Colonial Pipeline and global meat processor JBS Foods.
These security gaps have become such a concern that the US Cybersecurity and Infrastructure Agency (CISA) and other government offices have warned industrial and critical infrastructure companies about the growing threat, particularly in the wake of Russia’s unprovoked invasion of neighboring Ukraine in February.
Two of the flaws discovered by Talos threat hunter Jared Rittle carry critical ratings. One, tracked as CVE-2022-26833 with a CVSS severity score of 9.4 out of 10, would enable a bad actor to exploit the flaw in a REST API on the platform and change the configuration of the platform, researchers wrote in a blog post this week.
This would let the attacker to perform such tasks as reading the existing usernames, configuration and groups, create a new security group and user with broad permissions and change ports used by various OAS services. The flaw could be exploited by sending a specially crafted series of HTTP requests to the targeted devices.
Another, tracked as CVE-2022-26082 with a severity score of 9.1, opens up the platform to a remote code execution (RCE) attack, which would enable an attacker to run arbitrary code on the targeted system. The flaw exists in the OAS Engine SecureTransferFiles functionality and a bad cybercriminal can exploit it by sending a sequence of network requests.
“Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist,” the researchers wrote. “Both the Security Group and User Account referred to here are elements within the OAS Platform, not the underlying Linux machine.”
If an acceptable security group and user account already exist, the attacker can get the necessary credentials off the network and user for the transfer. If they don’t exist, the attacker would have to create them before being able to exploit the vulnerability, they wrote. Once the bad actor gets the credentials, they can execute their code on the Linux system.
Two other vulnerabilities (CVE-2022-27169 and CVE-2022-26067) would enable the attacker to send a specific network request to get a directory listing, while another flaw (CVE-2022-26077) would let them send similar requests to obtain a list of usernames and passwords that could be used in future attacks on the OAS platform.
Bad actors can exploit another flaw (CVE-2022-26026) by sending a network request that would result in a denial of service and a loss of communications and through two others (CVE-2022-26303 and CVE-2022-26043) make external configuration changes, such as creating a new security group and user accounts.
Cisco worked with OAS to address the vulnerabilities. OAS issued an update to its platform and Talos listed a range of mitigation steps enterprises can take to deal with them.
In an email to The Register, Chris Clements, vice president of solutions architecture for cybersecurity firm Cerberus Sentinel, said that flaws affecting industrial control devices “are among the scariest cybersecurity threats today. An attacker with the ability to disrupt or alter the function of those devices can inflict catastrophic damage on critical infrastructure facilities, but an attack can also be something that may not be immediately obvious.”
Clemente pointed to the high-profile Stuxnet worm, which didn’t immediately break such devices but changed their function in ways that led them to eventually fail while reporting back to monitoring systems that everything was operating normally. He also noted that taking such systems offline can be disruptive, which can lead some organizations to put off patching them for months or years. In addition, such techniques as air gapping such systems from the internet can help protect them against attacks but are not fail-proof.
“In some instances [air gaps] can be a double-edged sword,” Clements said. “Malicious USB devices have been leveraged several times to spread malware on to air-gapped networks, and unless special considerations have been made to perform security patching on the isolated network, the malicious code often finds itself in an environment that’s ripe for exploitation.”
Enterprises need to also ensure they are hardening their systems, patching when necessary and have secondary systems in place to protect against having to take others offline, he said.
In April, CISA and other agencies warned that threat groups were creating custom tools to control industrial control system sand SCADA devices, part of the larger threat against critical infrastructure firms.
Private sector companies also are moving to strengthen security around such systems, including creating the Operational Technology Cybersecurity Coalition, which includes a mix of corporations like Honeywell and Coca-Cola and cybersecurity vendors, such as Fortinet and Check Point. ®