CVE-2024-22178
A file write vulnerability exists in the OAS Engine Save Security Configuration functionality of Open Automation Software OAS Platform V19.00.0057. A specially crafted series of network requests can lead to arbitrary file creation or overwrite. An attacker can send a sequence of requests to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Open Automation Software OAS Platform V19.00.0057
OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/
4.9 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CWE-73 - External Control of File Name or Path
The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.
The OAS configuration tool provides a feature to save the running configuration to disk on the OAS engine server. When the Security configuration is saved, the user is able to specify both the path and filename, restricted only by the permissions of the underlying OAS user system account. If the chosen file already exists, the contents of that file will be replaced with the configuration data.
To save the Security configuration, and subsequently overwrite a file with the contents of that configuration, a String_With_Auth protobuf can be leveraged as part of a greater authenticated request to specify the filename. The format of this structure resembles the following, where the String field contains the absolute path to the target file:
message String_With_Auth {
int32 Version = 1;
U_EP UEP = 2;
string String = 3;
}
Configuration data cannot be directly controlled, but it is possible to affect a subset of the data by strategically creating elements within the application, such as modifying user information.
When valid OAS Platform credentials are known, it is possible to gain access to the underlying system by overwriting the OAS user’s authorized_keys file with an attacker-controlled SSH key.
2024-02-29 - Vendor Disclosure
2024-03-04 - Vendor Patch Release
2024-04-03 - Public Release
Discovered by Jared Rittle of Cisco Talos.