Eight new vulnerabilities were recently discovered in the Open Automation Software (OAS) platform which, if leveraged, could have triggered another supply chain security disaster.
According to Talos, Cisco’s cybersecurity arm, the flaws include two high-severity vulnerabilities – CVE-2022-26833 (severity score 9.4) and CVE-2022-26082 (severity score 9.1) – which could enable threat actors to change the configuration of the platform to create new security groups and run arbitrary code.
Various other vulnerabilities discovered in the platform could also have been abused to send network requests, draw down directory listing, steal passwords and launch denial of service attacks.
Vulnerabilities addressed
According to The Register, Cisco worked with OAS to address the vulnerabilities and issue patches.
Speaking to the publication, VP of solutions architecture for Cerberus Sentinel, Chris Clements, described the flaws as “among the scariest cybersecurity threats today,” mostly due to the fact that many major industrial enterprises use OAS.
Among its users are Volvo, General Dynamics, or AES, which use it to facilitate the transfer of data within their IT environments. OAS is described as essential to these organizations’ Industrial Internet of Things (IIoT) efforts.
“An attacker with the ability to disrupt or alter the function of those devices can inflict catastrophic damage on critical infrastructure facilities, but an attack can also be something that may not be immediately obvious,” Clements commented.
He likened the flaws with Stuxnet, a more than a decade-old worm that inflicted serious damage to the Iranian nuclear program. The worm was used to break certain components in nuclear facilities which, despite malfunctioning, reported back as operating normally.
What’s more, the affected systems are so pivotal to these organizations that many postpone taking them offline for patching for years.
“In some instances, air gaps can be a double-edged sword,” Clements said. “Malicious USB devices have been leveraged several times to spread malware on to air-gapped networks, and unless special considerations have been made to perform security patching on the isolated network, the malicious code often finds itself in an environment that’s ripe for exploitation.”
