CVE-2024-27201
An improper input validation vulnerability exists in the OAS Engine User Configuration functionality of Open Automation Software OAS Platform V19.00.0057. A specially crafted series of network requests can lead to unexpected data in the configuration. An attacker can send a sequence of requests to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Open Automation Software OAS Platform V19.00.0057
OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/
4.9 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
CWE-20 - Improper Input Validation
The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.
Access to the various features of the OAS Engine and associated data is controlled through use of OAS engine application users. Application administrator users are able to add additional users to the application with varying levels of permissions. It is important to note that these users exist within the OAS Engine exclusively, not on the underlying system.
To add a new user, a Config_SetProperties protobuf can be leveraged as part of a greater authenticated request to specify the username. The format of this structure resembles the following where the ItemNames field contains an array of keys indicating the fields being modified, and the OASValues field contains an array of values associated with those keys.
message Config_SetProperties {
string Name = 1;
repeated string ItemNames = 2;
repeated OAS_Value OASValues = 3;
bool Adding = 4;
}
When configuring a platform user, seven fields can be set: Name, Password, SecurityGroup, Field1, Field2, Field3, and Field4. Of these seven, the last five have no filtering performed on the value entered for the username, allowing a wide variety of characters not appropriate for user information to be entered and subsequently stored to the running configuration.
When valid OAS Platform credentials are known, it is possible to gain access to the underlying system by adding a user with any of the affected fields containing an SSH key and saving the configuration to a strategic location.
Access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration.
2024-02-29 - Vendor Disclosure
2024-04-03 - Vendor Patch Release
2024-04-03 - Public Release
Discovered by Jared Rittle of Cisco Talos.