CVE-2022-26067: 
Open Automation Software vulnerability analysis and mitigation

An information disclosure vulnerability exists in the OAS Engine SecureTransferFiles functionality of Open Automation Software (OAS) Platform V16.00.0112. The vulnerability, identified as CVE-2022-26067, was discovered by Jared Rittle of Cisco Talos and publicly disclosed on May 25, 2022. The vulnerability allows an attacker to perform arbitrary file reads through a specially-crafted series of network requests (Talos Report).

The vulnerability has a CVSSv3 score of 4.9 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) and is classified under CWE-306 (Missing Authentication for Critical Function). The vulnerability exists in the SecureTransferFiles functionality, which operates on TCP port 58727 by default. Exploitation requires the existence of a Security Group with File Transfer permissions and a User Account in that group within the OAS Platform. The credentials can either be sniffed from the network if they exist or need to be created before exploitation is possible (Talos Report).

If successfully exploited, this vulnerability allows an attacker to read arbitrary files at any location permissible by the underlying user running the OAS-engine service. The platform typically runs under the 'oasuser' account with normal user permissions, potentially exposing sensitive system files to unauthorized access (Talos Report, Threatpost).

The primary mitigation strategy is to prevent access to the configuration port (TCP/58727 by default) when not actively configuring the OAS Platform. Additionally, it is recommended to use a dedicated user account with minimal necessary permissions to run the OAS Platform. Users are encouraged to update to versions newer than V16.00.0112. Proper network segmentation should be implemented to ensure adversaries have the lowest possible level of access to the network on which the OAS Platform communicates (Talos Report).