CVE-2022-26833
📋 TL;DR
CVE-2022-26833 is an improper authentication vulnerability in Open Automation Software OAS Platform that allows unauthenticated attackers to access the REST API. This affects OAS Platform V16.00.0121 installations with REST API enabled. Attackers can send specially-crafted HTTP requests to bypass authentication and potentially control industrial automation systems.
💻 Affected Systems
- Open Automation Software OAS Platform
📦 What is this software?
Oas Platform by Openautomationsoftware
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems leading to operational disruption, data theft, or physical damage to industrial processes.
Likely Case
Unauthorized access to sensitive industrial data, manipulation of automation processes, or installation of malware on industrial networks.
If Mitigated
Limited impact if proper network segmentation and authentication controls prevent API access from untrusted networks.
🎯 Exploit Status
Exploitation requires sending a series of HTTP requests to the REST API endpoint. Public technical details exist in the Talos Intelligence report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V16.00.0122 and later
Vendor Advisory: https://openautomationsoftware.com/security-advisories/
Restart Required: Yes
Instructions:
1. Download latest OAS Platform version from vendor website. 2. Backup current configuration. 3. Install update following vendor instructions. 4. Restart OAS services. 5. Verify REST API authentication is functioning.
🔧 Temporary Workarounds
Disable REST API
allTemporarily disable REST API functionality if not required for operations.
Navigate to OAS Configuration > Services > Disable REST API
Network Access Control
allRestrict network access to OAS Platform using firewall rules.
Windows: netsh advfirewall firewall add rule name="Block OAS REST" dir=in action=block protocol=TCP localport=58727
Linux: iptables -A INPUT -p tcp --dport 58727 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OAS Platform from untrusted networks.
- Deploy web application firewall (WAF) with rules to detect and block authentication bypass attempts.
🔍 How to Verify
Check if Vulnerable:
Check OAS Platform version via Configuration interface or by examining installed software version. If version is exactly V16.00.0121, system is vulnerable.Check Version:
Windows: Check Programs and Features for OAS Platform version. Linux: Check installation directory for version file or run oas --version if available.Verify Fix Applied:
After patching, attempt to access REST API without authentication. Should receive authentication error. Verify version shows V16.00.0122 or later.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful API access
- REST API access from unexpected IP addresses
- Unusual HTTP request patterns to /api endpoints
Network Indicators:
- HTTP requests to OAS REST API port (default 58727) without authentication headers
- Unusual traffic patterns to industrial control system endpoints
SIEM Query:
source="oas.logs" AND (event_type="api_access" AND auth_status="success" AND user="anonymous") OR (http_request LIKE "%api%" AND NOT http_headers LIKE "%Authorization%")