Cisco Finds Eight Vulnerabilities in OAS Industrial IoT Data Platform

Multiple vulnerabilities in the Open Automation Software (OAS) Platform can be exploited to bypass authentication, leak sensitive information, and overwrite files, Cisco warns. Enabling communication and data transfer between servers, industrial control systems (ICS), IoT, and other types of devices, the OAS Platform is typically used in industrial operations and enterprise environments. It also supports logging, notifications, and cross-platform integrations. On Wednesday, Cisco’s Talos security researchers disclosed eight vulnerabilities identified in the OAS Platform’s engine configuration management functionality, which allows users to load and save configurations to a disk and install them on other devices. Three of the bugs are rated high-severity. The most important of these are CVE-2023-31242 and CVE-2023-34998, two authentication bypass flaws that can be exploited using specially crafted requests. The first can be triggered using a sequence of requests, while the second through sniffing network traffic.