Numerous vulnerabilities have been found in the Open Automation Software Platform that could allow an attacker to carry out a variety of malicious actions.
The platform connects industrial devices, servers, files, databases, and IoT devices to provide supervisory control and data acquisition systems or industrial automation solutions. The platform is used by large companies in the defense, aerospace, healthcare, water, energy, and vehicle manufacturing.
The eight vulnerabilities open the door to a wide range of possible attacks. The most serious of the vulnerabilities, named CVE-2022-26082, would allow an attacker to gain the ability to execute arbitrary code on the targeted machine. Another vulnerability, CVE-2002-26833, could lead to the unauthenticated use of the REST API.
Two of the vulnerabilities, CVE-2022-27169 and 2022-26067, could allow an attacker to obtain a directory listing at any location permissible by the underlying user by sending a specific network request. CVE-2022-26077 works similarly but provides the attacker with a list of usernames and passwords for the platform that could be used in future attacks.
The remaining vulnerabilities include CVE-2022-26026, which can be triggered by a crafted network request and leads to a denial of service and loss of communications. The last two vulnerabilities could allow an attacker to make external configuration changes and create new user accounts.
A patch has been released by the platform owners to address them, which users should install if they haven’t already. It’s also noted that affected users could mitigate the issues by ensuring proper network segmentation is in place.
Since this software is used by large organizations in critical industries, it not only opens the door to casual hackers but also to nation-state-sponsored actors who may have far more malicious intent.