Talos names eight deadly sins in widely used industrial software

Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

The vulnerabilities are just the latest cyber threat in an industrial sector that has become a larger target for bad actors in recent years, as illustrated by such high-profile ransomware attacks on companies like energy provider Colonial Pipeline and global meat processor JBS Foods.

These security gaps have become such a concern that the US Cybersecurity and Infrastructure Agency (CISA) and other government offices have warned industrial and critical infrastructure companies about the growing threat, particularly in the wake of Russia's unprovoked invasion of neighboring Ukraine in February.

Two of the flaws discovered by Talos threat hunter Jared Rittle carry critical ratings. One, tracked as CVE-2022-26833 with a CVSS severity score of 9.4 out of 10, would enable a bad actor to exploit the flaw in a REST API on the platform and change the configuration of the platform, researchers wrote in a blog post this week.

This would let the attacker to perform such tasks as reading the existing usernames, configuration and groups, create a new security group and user with broad permissions and change ports used by various OAS services. The flaw could be exploited by sending a specially crafted series of HTTP requests to the targeted devices.

Another, tracked as CVE-2022-26082 with a severity score of 9.1, opens up the platform to a remote code execution (RCE) attack, which would enable an attacker to run arbitrary code on the targeted system. The flaw exists in the OAS Engine SecureTransferFiles functionality and a bad cybercriminal can exploit it by sending a sequence of network requests.

"Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist," the researchers wrote. "Both the Security Group and User Account referred to here are elements within the OAS Platform, not the underlying Linux machine."

If an acceptable security group and user account already exist, the attacker can get the necessary credentials off the network and user for the transfer. If they don't exist, the attacker would have to create them before being able to exploit the vulnerability, they wrote. Once the bad actor gets the credentials, they can execute their code on the Linux system.

Two other vulnerabilities (CVE-2022-27169 and CVE-2022-26067) would enable the attacker to send a specific network request to get a directory listing, while another flaw (CVE-2022-26077) would let them send similar requests to obtain a list of usernames and passwords that could be used in future attacks on the OAS platform.

Bad actors can exploit another flaw (CVE-2022-26026) by sending a network request that would result in a denial of service and a loss of communications and through two others (CVE-2022-26303 and CVE-2022-26043) make external configuration changes, such as creating a new security group and user accounts.

Cisco worked with OAS to address the vulnerabilities. OAS issued an update to its platform and Talos listed a range of mitigation steps enterprises can take to deal with them.

In an email to The Register, Chris Clements, vice president of solutions architecture for cybersecurity firm Cerberus Sentinel, said that flaws affecting industrial control devices "are among the scariest cybersecurity threats today. An attacker with the ability to disrupt or alter the function of those devices can inflict catastrophic damage on critical infrastructure facilities, but an attack can also be something that may not be immediately obvious."

Clemente pointed to the high-profile Stuxnet worm, which didn't immediately break such devices but changed their function in ways that led them to eventually fail while reporting back to monitoring systems that everything was operating normally. He also noted that taking such systems offline can be disruptive, which can lead some organizations to put off patching them for months or years. In addition, such techniques as air gapping such systems from the internet can help protect them against attacks but are not fail-proof.

"In some instances [air gaps] can be a double-edged sword," Clements said. "Malicious USB devices have been leveraged several times to spread malware on to air-gapped networks, and unless special considerations have been made to perform security patching on the isolated network, the malicious code often finds itself in an environment that's ripe for exploitation."

Enterprises need to also ensure they are hardening their systems, patching when necessary and have secondary systems in place to protect against having to take others offline, he said.

In April, CISA and other agencies warned that threat groups were creating custom tools to control industrial control system sand SCADA devices, part of the larger threat against critical infrastructure firms.

Private sector companies also are moving to strengthen security around such systems, including creating the Operational Technology Cybersecurity Coalition, which includes a mix of corporations like Honeywell and Coca-Cola and cybersecurity vendors, such as Fortinet and Check Point. ®

Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Datacenter networks: You'll manage them from the cloud, eventually, claims Cisco
    Nexus portfolio undergoes cloudy Software-as-a-Service revamp

    Cisco's Nexus Cloud will eventually allow customers to manage their datacenter networks entirely from the cloud, says the networking giant.

    The company unveiled the latest addition to its datacenter-focused Nexus portfolio at Cisco Live this week, where the product set got a software-as-a-service (SaaS) revamp.

    "It's targeted at network operations teams that need to manage, or want to manage, their Nexus infrastructure as well as their public-cloud network infrastructure in one spot," Cisco's Thomas Scheibe – VP product management, cloud networking for Nexus & ACI product lines – told The Register.

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading

Biting the hand that feeds IT © 1998–2022