Critical Flaws in Popular ICS Platform Can Trigger RCE

Cisco Talos discovered eight vulnerabilities in the Open Automation Software, two of them critical, that pose risk for critical infrastructure networks.

Critical flaws in a popular platform used by industrial control systems (ICS) that allow for unauthorized device access, remote code execution (RCE) or denial of service (DoS) could threaten the security of critical infrastructure.

Researchers Jared Rittle of Cisco Talos discovered a total of eight vulnerabilities—two of them critical–in the Open Automation Software (OAS) Platform, the most serious of which allows an attacker to execute arbitrary code on a targeted machine, according to a blog post published this week. The flaws affect Open Automation Software OAS Platform, version 16.00.0112.

OAS—offered by a company of the same name–makes it easy to transfer data between proprietary devices and applications, including both software and hardware. At its core is what’s called a Universal Data Connector, which allows the “movement and transformation of data for critical business processes like machine learning, data mining, reporting and data visualization,” according to the OAS website.

The OAS Platform is widely used in systems in which a range of disparate devices and software need to communicate, which is why it’s often

Read More: