CVE-2023-34353
An authentication bypass vulnerability exists in the OAS Engine authentication functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted network sniffing can lead to decryption of sensitive information. An attacker can sniff network traffic to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Open Automation Software OAS Platform v18.00.0072
OAS Platform - https://openautomationsoftware.com/knowledge-base/getting-started-with-oas/
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-330 - Use of Insufficiently Random Values
The OAS Platform, capable of running on a variety of systems including Windows, Linux, and Docker, was built to facilitate simplified communication between various proprietary devices and applications that might otherwise be incompatible. This is done through use of the “Universal Data Connector”. In the “Connectivity Layer” OAS acts as an “IoT Gateway and protocol bus,” allowing for native communication with devices, databases, and cloud services. Connectors implemented in the “Connectivity Layer” can then communicate with each other via the OAS Live Data Cloud, representing the “Aggregation Layer”. This information can then be stored, analyzed, and visualized through the data historian, alarm logging/notification, and visualization tools that make up the “Application Layer”. OAS additionally exposes a few sets of developer tools, allowing for programmatic access to the platform.
Many of the valid OAS Engine requests require application administrator credentials to run successfully. These credentials are wrapped in a U_EP protobuf and then included as a field inside of the greater request. The format of this structure resembles the following, where the DataAsBytes field contains the encrypted and serialized data of a valid User_EncryptedPassword protobuf.
message U_EP {
int32 Version = 1;
int32 Seed = 2;
bytes DataAsBytes = 3;
}
The serialized User_EncryptedPassword structure is encrypted using AES with mode CBC. The key is a 32-byte value that is derived from a modified seed value that is provided as an entry in the U_EP structure then concatenated with a subset of a base key. Using the procedure outlined below it is possible to obtain the original key:
basekey = 'eh84hsa8jkla2othiqugua4q398rsuq4'
key = str(uep.Seed - 3274)
if len(key) < 32:
key += basekey[0:32-len(key)]
key = bytes(key, 'utf-8')
This key can then be used in conjunction with a null initialization vector to decrypt the serialized User_EncryptedPassword data. Once deserialized, the resulting data resembles the following:
message User_EncryptedPassword {
string Username = 1;
string EncyprtedPassword = 2;
}
Access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration.
The fixed version v19 can be downloaded from: https://openautomationsoftware.com/downloads/releases/
2023-06-22 - Vendor Disclosure
2023-09-02 - Vendor Patch Release
2023-09-05 - Public Release
Discovered by a member of Cisco Talos.