CVE-2023-31242
published 2023-09-05CVE-2023-31242: An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially-crafted series…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.36%
87.2th percentile
An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially-crafted series of network requests can lead to arbitrary authentication. An attacker can send a sequence of requests to trigger this vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open_automation_software | oas_platform | — | — |
| openautomationsoftware | oas_platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
SIDs 61991 - 61994, 62003, and 62004
- →Monitor for unauthenticated or minimally-authenticated Protobuf requests to TCP/58727 (OAS Engine default config port), especially CommandNumber 0x13F (version probe) followed by privileged commands — this sequence indicates exploitation of the default no-admin-user bypass. ↗
- →Detect exploitation attempts by inspecting OAS Engine traffic for a `MtcExpirationString` response value of 'Create an Admin User.' — this confirms the target is in the vulnerable default state (no admin user configured). ↗
- →Alert on cleartext OAS Engine configuration traffic on TCP/58727 containing a `U_EP` authentication structure — an attacker can capture and replay this structure to authenticate privileged requests without knowing credentials. ↗
- →Alert on OAS Engine add-user requests (via TCP/58727) where the username field contains SSH public key material (unusually long strings with ssh-rsa/ecdsa/ed25519 prefixes) — this is the technique used to smuggle an SSH key into the OAS config for later file write. ↗
- →Use Snort SIDs 61991–61994, 62003, and 62004 from Snort.org rule sets to detect exploitation of these OAS Engine vulnerabilities. ↗
- ·The authentication bypass (CVE-2023-31242) is only exploitable when the OAS Engine is running its default configuration with no admin application user set. If an admin user is created but the config is not saved before a restart, the engine reverts to the vulnerable state. ↗
- ·A captured U_EP authentication token remains valid indefinitely until the associated user account is deleted — there is no session expiry mechanism. ↗
- ·The OAS Engine handshake formula must be correctly computed for each request; ClientHandshake must be a randomly generated value ≤ 0x3FFFEC75, and Handshake is derived from prior server response fields. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Talos
OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges
blogs_talos·2024-01-31·CVSS 8.1
[HIGH] OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges
Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine.
Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want to take the time to dive into a few of these vulnerabilities and show how a handful of bugs that could be viewed as low-impact could be exploited as a series to carry out various malicious actions, even going as far to gaining access to the underlying system.
# Background
The OAS Platform facilitates the simplified transfer of data between various proprietary devices and applications. It can connect products from multiple vendors, connect a product to a custom application, and more. Configuration
Talos
OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges
blogs_talos·2024-01-31·CVSS 8.1
[HIGH] OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges
## OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges
Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine .
Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want to take the time to dive into a few of these vulnerabilities and show how a handful of bugs that could be viewed as low-impact could be exploited as a series to carry out various malicious actions, even going as far to gaining access to the underlying system.
## Background
The OAS Platform facilitates the simplified transfer of data between various proprietary devices and applications. It can connect products fro
Talos
Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
blogs_talos·2023-09-06·CVSS 8.1
[HIGH] Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
## Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
Cisco Talos recently disclosed eight vulnerabilities in the engine configuration functionality in Open Automation’s Software Platform.
OAS Platform is commonly found in industrial operations and enterprise environments. It allows various devices, including PLCs, servers, files, databases and internet-of-things platforms to communicate with one another and share data when they otherwise would be unable to because of their various protocols.
The vulnerabilities Talos disclosed on Sept. 5 all exist inside the OAS Platform’s Engine configuration management functionality. Through the configuration tool, users can load or save a set of configurations to a disk and instal
Talos
Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
blogs_talos·2023-09-06·CVSS 8.1
[HIGH] Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
Cisco Talos recently disclosed eight vulnerabilities in the engine configuration functionality in Open Automation’s Software Platform.
OAS Platform is commonly found in industrial operations and enterprise environments. It allows various devices, including PLCs, servers, files, databases and internet-of-things platforms to communicate with one another and share data when they otherwise would be unable to because of their various protocols.
The vulnerabilities Talos disclosed on Sept. 5 all exist inside the OAS Platform’s Engine configuration management functionality. Through the configuration tool, users can load or save a set of configurations to a disk and install it on other devices.
TALOS-2023-1775 (CVE-2023-35124), TALOS-2023-1776 (CVE-2023-34353) and TALOS-2023-1774 (CVE-2023-3227
2023-09-05
Published