CVE-2022-26077: 
Open Automation Software vulnerability analysis and mitigation

A cleartext transmission of sensitive information vulnerability exists in the OAS Engine configuration communications functionality of Open Automation Software OAS Platform V16.00.0112. The vulnerability, identified as CVE-2022-26077, was discovered by Jared Rittle of Cisco Talos and publicly disclosed on May 25, 2022. The vulnerability affects the Open Automation Software OAS Platform version 16.00.0112, which is designed to facilitate data transfer between various proprietary devices and applications (Talos Intelligence).

By default, all configuration communication with the OAS Platform is sent in cleartext over TCP/58727. When commands requiring OAS User account authentication are sent, or any request from a logged-in OAS Configuration Utility is made, the username and base64 password hash is included in the message. The vulnerability has been assigned a CVSSv3 score of 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is classified under CWE-319 (Cleartext Transmission of Sensitive Information) (Talos Intelligence).

If an attacker is sniffing the network during transmission, they could extract username and password hash information and subsequently use it to successfully send additional configuration commands that require credentials. This exposure of sensitive authentication data could lead to unauthorized access to the system (Talos Intelligence, Threatpost).

To mitigate this vulnerability, it is recommended to ensure proper network segmentation is in place to minimize potential attacker access to the network on which the OAS Platform communicates. Additionally, organizations should use a dedicated user account to run the OAS Platform with minimal necessary permissions. The vendor has worked with Cisco Talos to resolve these issues and updates are available for affected customers (Talos Intelligence).