CVE-2022-26026
A denial of service vulnerability exists in the OAS Engine SecureConfigValues functionality of Open Automation Software OAS Platform V16.00.0112. A specially-crafted network request can lead to loss of communications. An attacker can send a network request to trigger this vulnerability.
Open Automation Software OAS Platform V16.00.0112
OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-306 - Missing Authentication for Critical Function
The OAS Platform was built to facilitate the simplified transfer of data between various proprietary devices and applications. It can be used to connect products from multiple different vendors, connect a product to a custom application, and more.
By sending a properly-formatted unauthenticated configuration message to the OAS Platform, it is possible to change the port used for configuration changes. If the SecureConfigValues command is used to change the TCP Port parameter to an invalid value, the OAS Platform will stop listening for new configuration connections altogether. Invalid values consist of any port number outside of the available range (>65535) or any port already in use. By default this message can be sent to TCP/58727 and, if successful, will be processed by the user oasuser with normal user permissions.
When a successful SecureConfigValues command is received, a response similar to the following will be returned:
0000 00 00 00 00 00 80 44 40 00 01 00 00 00 ff ff ff ......D@........
0010 ff 01 00 00 00 00 00 00 00 11 01 00 00 00 02 00 ................
0020 00 00 06 02 00 00 00 07 53 75 63 63 65 73 73 0a ........Success.
0030 0b .
If either an invalid or in-use port was chosen, it will no longer be possible to communicate with the server. If a valid port that was not already in-use was chosen, communication will switch to that port.
The easiest way to mitigate attempts to exploit this vulnerability is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, use a dedicated user account to run the OAS Platform, and ensure that user account does not have any more permissions than absolutely necessary.
2022-03-16 - Vendor Disclosure
2022-05-22 - Vendor Patch Release
2022-05-25 - Public Release
Discovered by Jared Rittle of Cisco Talos.