CVE-2023-31242
An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially-crafted series of network requests can lead to arbitrary authentication. An attacker can send a sequence of requests to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Open Automation Software OAS Platform v18.00.0072
OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/
8.1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-284 - Improper Access Control
The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.
By default, when the OAS Engine is installed, no admin application user is set. Without an admin application user, no authentication is required to access functionality that would otherwise require valid credentials, including creating new users. Additionally, if an admin user is created but the configuration is not saved before the OAS Engine restarts, then those changes will be lost and the system will revert to disregarding the authentication structure.
While the credentials will not end up being verified in this case, all privileged requests must still contain a valid authentication structure.
Through use of the following protobuf request, it is possible to check if unauthenticated access is possible through use of an OASPacket with a CommandNumber of 0x13F.
message OASPacket {
int32 Version = 1;
int32 LDCMode = 2;
int32 CommandNumber = 3;
string LDCHost = 4;
string SendingGUID = 5;
bytes DataAsBytes = 6;
}
If successful, a protobuf response similar to the following will be provided that contains versioning and other engine information. If the MtcExpirationString value contains the string “Create an Admin User” it is indicative of a vulnerable case.
message Version_Runtime_License {
int32 Version = 1;
bool Runtime = 2;
string LicenseString = 3;
string MtcExpirationString = 4;
bool NetCore = 5;
bool WinOS = 6;
bool LinuxOS = 7;
string AssemblyVersion = 8;
string BaseDirectory = 9;
bool EnableActiveDirectory = 10;
string ActiveDirectoryEntry = 11;
string ActiveDirectoryFilter = 12;
}
When combined with the user creation and save configuration functionality, it is possible to gain access to the underlying system.
The easiest way to avoid this case is to ensure that an OAS admin user is set and the configuration is saved immediately upon installation of the OAS Engine. Additionally, access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration.
The fixed version v19 can be downloaded from: https://openautomationsoftware.com/downloads/releases/
2023-06-22 - Vendor Disclosure
2023-09-02 - Vendor Patch Release
2023-09-05 - Public Release
Discovered by a member of Cisco Talos.