Talos names eight deadly sins in widely used industrial software

Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)


A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

The vulnerabilities are just the latest cyber threat in an industrial sector that has become a larger target for bad actors in recent years, as illustrated by such high-profile ransomware attacks on companies like energy provider Colonial Pipeline and global meat processor JBS Foods.

These security gaps have become such a concern that the US Cybersecurity and Infrastructure Agency (CISA) and other government offices have warned industrial and critical infrastructure companies about the growing threat, particularly in the wake of Russia's unprovoked invasion of neighboring Ukraine in February.

Two of the flaws discovered by Talos threat hunter Jared Rittle carry critical ratings. One, tracked as CVE-2022-26833 with a CVSS severity score of 9.4 out of 10, would enable a bad actor to exploit the flaw in a REST API on the platform and change the configuration of the platform, researchers wrote in a blog post this week.

This would let the attacker to perform such tasks as reading the existing usernames, configuration and groups, create a new security group and user with broad permissions and change ports used by various OAS services. The flaw could be exploited by sending a specially crafted series of HTTP requests to the targeted devices.

Another, tracked as CVE-2022-26082 with a severity score of 9.1, opens up the platform to a remote code execution (RCE) attack, which would enable an attacker to run arbitrary code on the targeted system. The flaw exists in the OAS Engine SecureTransferFiles functionality and a bad cybercriminal can exploit it by sending a sequence of network requests.

"Before the transfer of a file will be accepted, it is necessary that a Security Group with File Transfer permissions and a User Account in that group exist," the researchers wrote. "Both the Security Group and User Account referred to here are elements within the OAS Platform, not the underlying Linux machine."

If an acceptable security group and user account already exist, the attacker can get the necessary credentials off the network and user for the transfer. If they don't exist, the attacker would have to create them before being able to exploit the vulnerability, they wrote. Once the bad actor gets the credentials, they can execute their code on the Linux system.

Two other vulnerabilities (CVE-2022-27169 and CVE-2022-26067) would enable the attacker to send a specific network request to get a directory listing, while another flaw (CVE-2022-26077) would let them send similar requests to obtain a list of usernames and passwords that could be used in future attacks on the OAS platform.

Bad actors can exploit another flaw (CVE-2022-26026) by sending a network request that would result in a denial of service and a loss of communications and through two others (CVE-2022-26303 and CVE-2022-26043) make external configuration changes, such as creating a new security group and user accounts.

Cisco worked with OAS to address the vulnerabilities. OAS issued an update to its platform and Talos listed a range of mitigation steps enterprises can take to deal with them.

In an email to The Register, Chris Clements, vice president of solutions architecture for cybersecurity firm Cerberus Sentinel, said that flaws affecting industrial control devices "are among the scariest cybersecurity threats today. An attacker with the ability to disrupt or alter the function of those devices can inflict catastrophic damage on critical infrastructure facilities, but an attack can also be something that may not be immediately obvious."

Clemente pointed to the high-profile Stuxnet worm, which didn't immediately break such devices but changed their function in ways that led them to eventually fail while reporting back to monitoring systems that everything was operating normally. He also noted that taking such systems offline can be disruptive, which can lead some organizations to put off patching them for months or years. In addition, such techniques as air gapping such systems from the internet can help protect them against attacks but are not fail-proof.

"In some instances [air gaps] can be a double-edged sword," Clements said. "Malicious USB devices have been leveraged several times to spread malware on to air-gapped networks, and unless special considerations have been made to perform security patching on the isolated network, the malicious code often finds itself in an environment that's ripe for exploitation."

Enterprises need to also ensure they are hardening their systems, patching when necessary and have secondary systems in place to protect against having to take others offline, he said.

In April, CISA and other agencies warned that threat groups were creating custom tools to control industrial control system sand SCADA devices, part of the larger threat against critical infrastructure firms.

Private sector companies also are moving to strengthen security around such systems, including creating the Operational Technology Cybersecurity Coalition, which includes a mix of corporations like Honeywell and Coca-Cola and cybersecurity vendors, such as Fortinet and Check Point. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Datacenter networks: You'll manage them from the cloud, eventually, claims Cisco
    Nexus portfolio undergoes cloudy Software-as-a-Service revamp

    Cisco's Nexus Cloud will eventually allow customers to manage their datacenter networks entirely from the cloud, says the networking giant.

    The company unveiled the latest addition to its datacenter-focused Nexus portfolio at Cisco Live this week, where the product set got a software-as-a-service (SaaS) revamp.

    "It's targeted at network operations teams that need to manage, or want to manage, their Nexus infrastructure as well as their public-cloud network infrastructure in one spot," Cisco's Thomas Scheibe – VP product management, cloud networking for Nexus & ACI product lines – told The Register.

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022