CVE-2024-21870
A file write vulnerability exists in the OAS Engine Tags Configuration functionality of Open Automation Software OAS Platform V19.00.0057. A specially crafted series of network requests can lead to arbitrary file creation or overwrite. An attacker can send a sequence of requests to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Open Automation Software OAS Platform V19.00.0057
OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/
4.9 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CWE-73 - External Control of File Name or Path
The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.
The OAS Engine provides authenticated users access to a variety of user-modifiable configuration fields. Included within these options is the File Data Source configuration, allowing users to specify a system path and filename to use with specially configured Tag entities.
A Tag can get its value from a variety of data sources including Value, MQTT, and File, among others. When the File data source is selected, a sub-option must also be specified indicating the type of file in which the configuration should be stored. Three options exist: Binary, Text, or XML. The OAS Engine then uses the system path and filename specified in the File Data Source configuration in combination with the extension associated with the storage type to determine what file to use for access.
To overwrite a .bin, txt, or xml file in this way a combination of requests must be made. First, the File Data Source configuration must be updated to use the target directory and filename. This can be done through use of a CSV_Import protobuf as part of a greater authenticated request. The format of this structure resembles the following, where the Strings field contains the configuration options in CSV format with the File Data Source Path containing the target filepath and File Data Source File Name containing the target name.
message CSV_Import {
int32 Version = 1;
U_EP UEP = 2;
repeated string Strings = 3;
}
With the File Data Source configuration successfully set, a Tag must be configured to use a file as its data source. This can be accomplished as part of a greater authenticated request through use of a Config_SetProperties protobuf packed within a Config_Sub_Values protobuf. The format of these structures resemble the following.
message Config_Sub_Values {
int32 Version = 1;
string MethodName = 2;
repeated bytes PackedValueFromRequest = 3;
}
message Config_SetProperties {
string Name = 1;
repeated string ItemNames = 2;
repeated OAS_Value OASValues = 3;
bool Adding = 4;
}
Within the Config_SetProperties protobuf, the ItemNames field contains an array of configuration keys while the OASValues field contains an array of the associated values. In particular the keys Value_ParameterSource and Value_ParameterSourceFile must be set to File and one of Binary, Text, or XML, respectively.
When successfully completed the OAS Engine will create the newly specified file, or if it already exists overwrite all existing data with that of the associated Tag.
2024-02-29 - Vendor Disclosure
2024-03-04 - Vendor Patch Release
2024-04-03 - Public Release
Discovered by Jared Rittle of Cisco Talos.