Vulnerability Spotlight: Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service

Jared Rittle of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. 

Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software Platform that could allow an adversary to carry out a variety of malicious actions, including improperly authenticating into the targeted device and causing a denial of service. 

The OAS Platform facilitates the simplified data transfer between various proprietary devices and applications, including software and hardware. 

The most serious of these issues is TALOS-2022-1493 (CVE-2022-26082), which an attacker could exploit to gain the ability to execute arbitrary code on the targeted machine. This issue has a severity score of 9.1 out of a possible 10. Another vulnerability, TALOS-2022-1513 (CVE-2022-26833) has a 9.4 severity score and could lead to the unauthenticated use of the REST API. 

There are two other vulnerabilities, TALOS-2022-1494 (CVE-2022-27169) and TALOS-2022-1492 (CVE-2022-26067) could allow an attacker to obtain a directory listing at any location permissible by the underlying user by sending a specific network request. 

Another information disclosure vulnerability TALOS-2022-1490 (CVE-2022-26077) works in the same way, but alternatively provides the attacker with a list of usernames and passwords for the platform that could be used in future attacks. 

TALOS-2022-1491 (CVE-2022-26026) can also be triggered by a specially crafted network request, but instead

Read More: http://blog.talosintelligence.com/2022/05/vuln-spotlight-open-automation-platform.html