CVE-2022-26077
📋 TL;DR
CVE-2022-26077 is a cleartext transmission vulnerability in Open Automation Software OAS Platform that exposes sensitive configuration data during network communications. Attackers can intercept unencrypted network traffic to steal credentials and configuration details. This affects all users of OAS Platform V16.00.0112 who haven't applied patches or implemented encryption.
💻 Affected Systems
- Open Automation Software OAS Platform
📦 What is this software?
Oas Platform by Openautomationsoftware
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of OAS Platform with credential theft leading to industrial control system manipulation, data exfiltration, and potential physical damage in operational technology environments.
Likely Case
Credential harvesting and configuration data theft allowing attackers to gain unauthorized access to OAS systems and potentially pivot to connected industrial control systems.
If Mitigated
Minimal impact if network segmentation, encryption, and proper access controls prevent attackers from sniffing traffic or accessing sensitive systems.
🎯 Exploit Status
Exploitation requires network access to sniff traffic but no authentication. Attack tools for network sniffing are widely available and easy to use.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V16.00.0113 and later
Vendor Advisory: https://openautomationsoftware.com/security-advisories/
Restart Required: Yes
Instructions:
1. Download OAS Platform V16.00.0113 or later from official vendor site. 2. Backup current configuration. 3. Install the update following vendor documentation. 4. Restart OAS services. 5. Verify encryption is enabled for configuration communications.
🔧 Temporary Workarounds
Enable TLS Encryption
allConfigure OAS Platform to use TLS encryption for all configuration communications instead of cleartext
Configure TLS settings in OAS Configuration Utility under Security > Encryption
Network Segmentation
allIsolate OAS Platform traffic to separate VLANs with strict access controls
🧯 If You Can't Patch
- Implement network-level encryption using VPN tunnels or IPsec for all OAS communications
- Deploy network monitoring and intrusion detection to alert on suspicious traffic patterns and sniffing attempts
🔍 How to Verify
Check if Vulnerable:
Check OAS Platform version in Configuration Utility or run 'oas_version' command. If version is V16.00.0112, check if configuration communications are using cleartext by examining network traffic with Wireshark.Check Version:
oas_version (Linux) or check OAS Configuration Utility > About (Windows)Verify Fix Applied:
Verify version is V16.00.0113 or later and confirm encrypted traffic using network analysis tools. Check that TLS is enabled in OAS configuration.📡 Detection & Monitoring
Log Indicators:
- Failed encryption handshake attempts
- Unusual configuration access patterns
- Multiple failed authentication attempts following network traffic capture
Network Indicators:
- Cleartext OAS configuration protocol traffic (port 58727 by default)
- ARP spoofing or network sniffing tools on OAS network segments
- Unencrypted traffic containing credentials or configuration data
SIEM Query:
source_port:58727 AND protocol:TCP AND (NOT tls_handshake) OR (oas_config AND NOT encrypted)