Eight vulnerabilities have been found in the Open Automation Software Platform that could allow an attacker to carry out a variety of malicious actions.
The platform, from the company of the same name, connects industrial devices, servers, files, databases and “internet of things” devices to provide supervisory control and data acquisition systems or industrial automation solutions. The platform is used by large companies in defense, aerospace, healthcare, water, energy and vehicle manufacturing, with notable users including Michelin, JBT AreoTech, Volvo Mack, Intel Corp. and the U.S. Navy.
As detailed Wednesday by Jared Rittle at the threat intelligence group Cisco Talos, the eight vulnerabilities open the door to a wide range of possible attacks. The most serious of the vulnerabilities, named CVE-2022-26082, would allow an attacker to gain the ability to execute arbitrary code on the targeted machine. Another vulnerability, CVE-2002-26833, could lead to the unauthenticated use of the REST API.
Two of the vulnerabilities, CVE-2022-27169 and 2022-26067, could allow an attacker to obtain a directory listing at any location permissible by the underlying user by sending a specific network request. CVE-2022-26077 works similarly but provides the attacker with a list of usernames and passwords for the platform that could be used in future attacks.
The remaining vulnerabilities include CVE-2022-26026, which can be triggered by a crafted network request and leads to a denial of service and loss of communications. The last two vulnerabilities could allow an attacker to make external configuration changes and create new user accounts.
Cisco Talos worked with Open Automation Software to address the issues and a patch has been released to address them, which users should install if they haven’t already. It’s also noted that affected users could mitigate the issues by ensuring proper network segmentation is in place.
That this software is used by large organizations in critical industries, let alone the U.S. Navy, is naturally concerning because it not only opens the door to casual hackers but also to nation-state-sponsored actors who may have far more malicious intent.
“Vulnerabilities that can affect industrial control devices are among the scariest cybersecurity threats today,” Chris Clements, vice president of solutions architecture at IT service management company Cerberus Cyber Sentinel Corp., told SiliconANGLE today. “In many cases industrial control devices are responsible for the operation of highly sensitive processes involved in utilities and manufacturing.”
An attacker with the ability to disrupt or alter the function of those devices can inflict catastrophic damage on critical infrastructure facilities, but an attack can also be something that may not be immediately obvious, Clements explained. “The infamous Stuxnet worm was a case study on these risks as it didn’t immediately break the industrial control devices it targeted but altered their function in such a way to cause critical industrial components to eventually catastrophically fail, all while falsely reporting back to monitoring systems that everything was operating normally,” he said.
Clements warned that though there was a patch to the vulnerabilities available, it’s not always easy to apply. “Due to their nature, taking these systems offline to apply security patches can be immensely disruptive and this can mean that the application of patches that protect the devices can be delayed months or years,” he added.