Security Updates

The following is information which address known issues that have been reported.

In most, if not all cases, issues reported can be corrected by upgrading to the latest version of the OAS Platform. If you have any concerns or are experiencing an issue not listed below, contact our technical support team at support@oasiot.com.

The latest release of OAS contains several improvements that harden security and make communications even more efficient.
Read more about these improvements here.

CVE or Ref. NumberDescriptionVersions AffectedStatus
CVE-2022-26082
CVE-2022-26303
CVE-2022-26043
CVE-2022-26077
CVE-2022-26026
CVE-2022-26067
CVE-2022-27169

A vulnerability was reported in the OAS Engine API calls of Open Automation Software OAS Platform V16.00.0112.

Recommendations:
Upgrade your server to v17.
For prior versions, ensure the Default security Group is disabled and access to the OAS platform features are limited by assigning only necessary rights to additional security groups and users

Versions prior to v17Corrected in v17
CVE-2022-26833

A vulnerability was reported in the OAS Engine REST API calls of Open Automation Software OAS Platform V16.00.0112.

Recommendations:
Upgrade your server to v17.
For prior versions, ensure the Default security Group is disabled and access to the OAS platform features are limited by assigning only necessary rights to additional security groups and users.
This vulnerability only exists when security is not enabled on the OAS server. As always, with Web HMI and REST API implementations, always enable SSL on unsecured networks.

Versions prior to v17

Corrected in v17

CVE-2023-31242
CVE-2023-34998
CVE-2023-34353

Network-based authentication vulnerabilities identified.

Recommendations:
Issue resolved in v19.00.0000. Authentication calls and packets have been further secured. Upgrade to v19 or later.

v18.00.0072Corrected in v19
CVE-2023-32615
CVE-2023-34994

OAS service is granted file system access with elevated permissions.

Recommendations:
Issue resolved in v19.00.0000. OAS access to file system is now limited to installation directories. Upgrade to v19 or later.

v18.00.0072Corrected in v19
CVE-2023-34317
CVE-2023-32271
CVE-2023-35124

Additional validation required on network update calls for configuration data.

Recommendations:
Issue resolved in v19.00.0000. Configuration calls and packets have been further secured. Upgrade to v19 or later.

v18.00.0072Corrected in v19
CVE-2024-24976Improper Handling of Length Parameter Inconsistency

Recommendations: OAS version 19.00.0064 has been updated to correct the file data source path assignment by removing the File Data Source Path and File Name properties. Th location and file name are now fixed.

v19.00.0057Corrected in v19.00.0064
CVE-2024-21870
CVE-2024-22178

External Control of File Name or Path.


Recommendations:
In OAS Version 19.00.0064 the Options properties to specify the File Data Source Path and File Name have been removed.

The path for File Data Source is now fixed to the directory C:\ProgramData\OpenAutomationSoftware\, subdirectory ConfigFiles\FileDataSource for Windows, and ConfigFiles/FileDataSoruce for Linux.
The File Data Source File Name is now fixed to OASTagValues.

The save security call has been removed and there is no longer a need specify the location or file name of the security file. Users can no longer specify the file name or location of the security file.

Upgrade to v19.00.0064 or later.

v19.00.0057Corrected in v19.00.0064
CVE-2024-27201

Improper Input Validation.


Recommendations: OAS version 20.00.0009 has been updated to restrict the user properties Security Group Name, Field1, Field2, Field3, and Field4 to only allow the use of letters, numbers, spaces, and characters ! # $ % & ‘ ( and ), . Upgrade to v20.00.0009 or later.

v19.00.0057Corrected in v20.00.0009
CVE-2024-11220Low-level user access through automated report execution.

Recommendations: OAS version 20.00.0076 has been updated to prevent report scripting. OAS version 20.00.0072 has been updated to now allow remote configuration of automated report settings.

To prevent the vulnerability on prior versions:
Do not share the OAS administrator authentication with unknown third parties to allow the file path from being set remotely.
Do not download and install files from unknown users to the local system.		V20.00.0075Corrected in v20.00.0076