Talos names eight deadly sins in widely used industrial software

Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)


A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

The vulnerabilities are just the latest cyber threat in an industrial sector that has become a larger target for bad actors in recent years, as illustrated by such high-profile ransomware attacks on companies like energy provider Colonial Pipeline and global meat processor JBS Foods.

These security gaps have become such a concern that the US Cybersecurity and Infrastructure Agency (CISA) and other government offices have warned industrial and critical infrastructure companies about the growing threat, particularly in the wake of Russia's unprovoked invasion of neighboring Ukraine in February.

Two of the flaws discovered by Talos threat hunter Jared Rittle carry critical ratings. One, tracked as CVE-2022-26833 with a CVSS severity score of 9.4 out of 10, would enable a bad actor to exploit the flaw in a REST API on the platform and change the configuration of the platform, researchers wrote in a blog post this week.

This would let the attacker to perform such tasks as reading the existing usernames, configuration and groups, create a new security group and user with broad permissions and change ports used by various OAS services. The flaw could be exploited by sending a specially crafted series of HTTP requests to the targeted devices.

Another, tracked as CVE-2022-26082 with a severity score of 9.1, opens up the platform to a remote code execution (RCE) attack, which would enable an attacker to run arbitrary code on the targeted system. The flaw exists in the OAS Engine SecureTransferFiles functionality and a bad cybercriminal can exploit it by sending a sequence of network requests.

"Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist," the researchers wrote. "Both the Security Group and User Account referred to here are elements within the OAS Platform, not the underlying Linux machine."

If an acceptable security group and user account already exist, the attacker can get the necessary credentials off the network and user for the transfer. If they don't exist, the attacker would have to create them before being able to exploit the vulnerability, they wrote. Once the bad actor gets the credentials, they can execute their code on the Linux system.

Two other vulnerabilities (CVE-2022-27169 and CVE-2022-26067) would enable the attacker to send a specific network request to get a directory listing, while another flaw (CVE-2022-26077) would let them send similar requests to obtain a list of usernames and passwords that could be used in future attacks on the OAS platform.

Bad actors can exploit another flaw (CVE-2022-26026) by sending a network request that would result in a denial of service and a loss of communications and through two others (CVE-2022-26303 and CVE-2022-26043) make external configuration changes, such as creating a new security group and user accounts.

Cisco worked with OAS to address the vulnerabilities. OAS issued an update to its platform and Talos listed a range of mitigation steps enterprises can take to deal with them.

In an email to The Register, Chris Clements, vice president of solutions architecture for cybersecurity firm Cerberus Sentinel, said that flaws affecting industrial control devices "are among the scariest cybersecurity threats today. An attacker with the ability to disrupt or alter the function of those devices can inflict catastrophic damage on critical infrastructure facilities, but an attack can also be something that may not be immediately obvious."

Clemente pointed to the high-profile Stuxnet worm, which didn't immediately break such devices but changed their function in ways that led them to eventually fail while reporting back to monitoring systems that everything was operating normally. He also noted that taking such systems offline can be disruptive, which can lead some organizations to put off patching them for months or years. In addition, such techniques as air gapping such systems from the internet can help protect them against attacks but are not fail-proof.

"In some instances [air gaps] can be a double-edged sword," Clements said. "Malicious USB devices have been leveraged several times to spread malware on to air-gapped networks, and unless special considerations have been made to perform security patching on the isolated network, the malicious code often finds itself in an environment that's ripe for exploitation."

Enterprises need to also ensure they are hardening their systems, patching when necessary and have secondary systems in place to protect against having to take others offline, he said.

In April, CISA and other agencies warned that threat groups were creating custom tools to control industrial control system sand SCADA devices, part of the larger threat against critical infrastructure firms.

Private sector companies also are moving to strengthen security around such systems, including creating the Operational Technology Cybersecurity Coalition, which includes a mix of corporations like Honeywell and Coca-Cola and cybersecurity vendors, such as Fortinet and Check Point. ®


Other stories you might like

  • Datacenter networks: You'll manage them from the cloud, eventually, claims Cisco
    Nexus portfolio undergoes cloudy Software-as-a-Service revamp

    Cisco's Nexus Cloud will eventually allow customers to manage their datacenter networks entirely from the cloud, says the networking giant.

    The company unveiled the latest addition to its datacenter-focused Nexus portfolio at Cisco Live this week, where the product set got a software-as-a-service (SaaS) revamp.

    "It's targeted at network operations teams that need to manage, or want to manage, their Nexus infrastructure as well as their public-cloud network infrastructure in one spot," Cisco's Thomas Scheibe – VP product management, cloud networking for Nexus & ACI product lines – told The Register.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Why Wi-Fi 6 and 6E will connect factories of the future
    Tech body pushes reliability, cost savings of next-gen wireless comms for IIoT – not a typo

    Wi-Fi 6 and 6E are being promoted as technologies for enabling industrial automation and the Industrial Internet of Things (IIoT) thanks to features that provide more reliable communications and reduced costs compared with wired network alternatives, at least according to the Wireless Broadband Alliance (WBA).

    The WBA’s Wi-Fi 6/6E for IIoT working group, led by Cisco, Deutsche Telekom, and Intel, has pulled together ideas on the future of networked devices in factories and written it all up in a “Wi-Fi 6/6E for Industrial IoT: Enabling Wi-Fi Determinism in an IoT World” manifesto.

    The detailed whitepaper makes the case that wireless communications has become the preferred way to network sensors as part of IIoT deployments because it's faster and cheaper than fiber or copper infrastructure. The alliance is a collection of technology companies and service providers that work together on developing standards, coming up with certifications and guidelines, advocating for stuff that they want, and so on.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022