CVE-2023-32615: 
Open Automation Software vulnerability analysis and mitigation

A file write vulnerability (CVE-2023-32615) exists in the OAS Engine configuration functionality of Open Automation Software OAS Platform v18.00.0072. The vulnerability was discovered by Cisco Talos and publicly disclosed on September 5, 2023. The affected software, OAS Platform, is designed to facilitate communication between various proprietary devices and applications through its Universal Data Connector (Talos Report).

The vulnerability exists in the OAS configuration tool's feature that saves running configurations to disk on the OAS engine server. When saving information, users can specify both path and filename, restricted only by the underlying OAS user system account permissions. The vulnerability can be exploited through a String protobuf as part of an authenticated request to specify the filename. The CVSS v3.1 score is 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (Talos Report).

If exploited, this vulnerability allows an attacker to create or overwrite arbitrary files within the permissions scope of the OAS user system account. When combined with authentication bypass vulnerabilities and user creation functionality, it can lead to gaining access to the underlying system by overwriting the OAS user's authorized_keys file with an attacker-controlled SSH key (Talos Blog).

The vendor has released version 19 of the OAS Platform which patches this vulnerability. As additional mitigation measures, access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration. It is also recommended to restrict read/write access for the OAS user to only locations that can safely be exposed to anyone on the network (Talos Report).