CVE-2023-35124
An information disclosure vulnerability exists in the OAS Engine configuration management functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to a disclosure of sensitive information. An attacker can send a sequence of requests to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Open Automation Software OAS Platform v18.00.0072
OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/
3.1 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-209 - Information Exposure Through an Error Message
The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.
Through the OAS Configuration tool, the functionality to load a saved configuration from disk is exposed to authenticated application users. Accompanying the configuration management tools is a remote file browser that allows users to view and subsequently select a file on the system to load. It is important to note that these users exist within the OAS Engine exclusively, not on the underlying system.
When a file is chosen that does not conform to the expected configuration format, the first 0x11 bytes of the file are sometimes leaked in the response error message.
To select a file to attempt to load, a String protobuf can be leveraged as part of a greater authenticated request to specify the filename. The format of this structure resembles the following, where the String field contains the absolute path to the target file:
message String {
int32 Version = 1;
U_EP UEP = 2;
string String = 3;
}
If the chosen file does not conform to the expected format, a response similar to the following will sometimes be returned:
Exception: The input stream is not a valid binary format. The starting contents (in bytes) are: 75-6E-61-6D-65-3A-6F-61-73-75-73-65-72-0A-70-61-74 ...'
Access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration. Additionally, where possible restrict read/write access for the OAS user to only locations that can safely be exposed to anyone on the network.
The fixed version v19 can be downloaded from: https://openautomationsoftware.com/downloads/releases/
2023-06-22 - Vendor Disclosure
2023-09-02 - Vendor Patch Release
2023-09-05 - Public Release
Discovered by a member of Cisco Talos.