cbcvebase.
CVE-2023-31242
published 2023-09-05

CVE-2023-31242: An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially-crafted series…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.36%
87.2th percentile
An authentication bypass vulnerability exists in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. A specially-crafted series of network requests can lead to arbitrary authentication. An attacker can send a sequence of requests to trigger this vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
open_automation_softwareoas_platform
openautomationsoftwareoas_platform

Detection & IOCsextracted from sources · hover to see the quote

portTCP/58727
commandCommandNumber=0x13F (Version/Runtime/License check probe)
snort
SIDs 61991 - 61994, 62003, and 62004
  • Monitor for unauthenticated or minimally-authenticated Protobuf requests to TCP/58727 (OAS Engine default config port), especially CommandNumber 0x13F (version probe) followed by privileged commands — this sequence indicates exploitation of the default no-admin-user bypass.
  • Detect exploitation attempts by inspecting OAS Engine traffic for a `MtcExpirationString` response value of 'Create an Admin User.' — this confirms the target is in the vulnerable default state (no admin user configured).
  • Alert on cleartext OAS Engine configuration traffic on TCP/58727 containing a `U_EP` authentication structure — an attacker can capture and replay this structure to authenticate privileged requests without knowing credentials.
  • Alert on OAS Engine add-user requests (via TCP/58727) where the username field contains SSH public key material (unusually long strings with ssh-rsa/ecdsa/ed25519 prefixes) — this is the technique used to smuggle an SSH key into the OAS config for later file write.
  • Use Snort SIDs 61991–61994, 62003, and 62004 from Snort.org rule sets to detect exploitation of these OAS Engine vulnerabilities.
  • ·The authentication bypass (CVE-2023-31242) is only exploitable when the OAS Engine is running its default configuration with no admin application user set. If an admin user is created but the config is not saved before a restart, the engine reverts to the vulnerable state.
  • ·A captured U_EP authentication token remains valid indefinitely until the associated user account is deleted — there is no session expiry mechanism.
  • ·The OAS Engine handshake formula must be correctly computed for each request; ClientHandshake must be a randomly generated value ≤ 0x3FFFEC75, and Handshake is derived from prior server response fields.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.