CVE-2023-34317
published 2023-09-05CVE-2023-34317: An improper input validation vulnerability exists in the OAS Engine User Creation functionality of Open Automation Software OAS Platform v18.00.0072. A…
PriorityP338medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.76%
50.6th percentile
An improper input validation vulnerability exists in the OAS Engine User Creation functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to unexpected data in the configuration. An attacker can send a sequence of requests to trigger this vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open_automation_software | oas_platform | — | — |
| openautomationsoftware | oas_platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Talos
OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges
blogs_talos·2024-01-31·CVSS 8.1
[HIGH] OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges
Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine.
Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want to take the time to dive into a few of these vulnerabilities and show how a handful of bugs that could be viewed as low-impact could be exploited as a series to carry out various malicious actions, even going as far to gaining access to the underlying system.
# Background
The OAS Platform facilitates the simplified transfer of data between various proprietary devices and applications. It can connect products from multiple vendors, connect a product to a custom application, and more. Configuration
Talos
OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges
blogs_talos·2024-01-31·CVSS 8.1
[HIGH] OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges
## OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges
Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine .
Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want to take the time to dive into a few of these vulnerabilities and show how a handful of bugs that could be viewed as low-impact could be exploited as a series to carry out various malicious actions, even going as far to gaining access to the underlying system.
## Background
The OAS Platform facilitates the simplified transfer of data between various proprietary devices and applications. It can connect products fro
Talos
Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
blogs_talos·2023-09-06·CVSS 8.1
[HIGH] Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
## Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
Cisco Talos recently disclosed eight vulnerabilities in the engine configuration functionality in Open Automation’s Software Platform.
OAS Platform is commonly found in industrial operations and enterprise environments. It allows various devices, including PLCs, servers, files, databases and internet-of-things platforms to communicate with one another and share data when they otherwise would be unable to because of their various protocols.
The vulnerabilities Talos disclosed on Sept. 5 all exist inside the OAS Platform’s Engine configuration management functionality. Through the configuration tool, users can load or save a set of configurations to a disk and instal
Talos
Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
blogs_talos·2023-09-06·CVSS 8.1
[HIGH] Eight vulnerabilities in Open Automation Software Platform could lead to information disclosure, improper authentication
Cisco Talos recently disclosed eight vulnerabilities in the engine configuration functionality in Open Automation’s Software Platform.
OAS Platform is commonly found in industrial operations and enterprise environments. It allows various devices, including PLCs, servers, files, databases and internet-of-things platforms to communicate with one another and share data when they otherwise would be unable to because of their various protocols.
The vulnerabilities Talos disclosed on Sept. 5 all exist inside the OAS Platform’s Engine configuration management functionality. Through the configuration tool, users can load or save a set of configurations to a disk and install it on other devices.
TALOS-2023-1775 (CVE-2023-35124), TALOS-2023-1776 (CVE-2023-34353) and TALOS-2023-1774 (CVE-2023-3227
2023-09-05
Published