Don’t worry if you don’t know what OAS is. Or you do. OAS (Open Automation Software) is a platform widely used in industrial operations and large-scale business environments, so it’s not necessarily going to affect you directly. Unless you’re Elon Musk, of course. With cross-platform access and integration capabilities, a vulnerability in this system can be catastrophic on several levels, and that is exactly what Cisco has detected.
A few days ago, researchers from Talos (a cybersecurity company that is a subsidiary of Cisco) disclosed a total of eight vulnerabilities that were found in the OAS engine management system, which would allow users to save configurations to disk and install them on other devices. Three of these vulnerabilities have been rated as highly severe.
A great danger for the platform
The most important vulnerabilities found are CVE-2023-31242 and CVE-2023-34998, two authentication flaws that can be exploited relatively easily through pre-designed requests specifically for that purpose. Thus, an attacker could send a request to check if unauthenticated access is possible and thus create new users, change configurations, and potentially gain access to the entire system.
Another major vulnerability would allow an attacker to get hold of administrator credentials and use them for his own purposes. The attacker could thus gain direct access to profile creation and, likewise, access to the entire system.
Cisco has already warned that there is another vulnerability that also allows the system to be taken over, although this time through a validation bug in the user creation functionality.
Fortunately all these vulnerabilities were found by Cisco and not by an attacker, so the security flaws they have caused are being quickly fixed and by version 19,000,000 will have been fully corrected.
