CVE-2023-34353: 
Open Automation Software vulnerability analysis and mitigation

An authentication bypass vulnerability (CVE-2023-34353) was discovered in the OAS Engine authentication functionality of Open Automation Software OAS Platform version 18.00.0072. The vulnerability was disclosed on September 5, 2023, after being initially reported to the vendor on June 22, 2023. The affected software, OAS Platform, is designed to facilitate communication between various proprietary devices and applications in industrial operations and enterprise environments (Talos Report, SecurityWeek).

The vulnerability exists in the authentication mechanism where credentials are wrapped in a UEP protobuf and included as a field inside requests. The authentication system uses AES-CBC encryption with a predictable key derivation process. The key is generated using a modified seed value from the UEP structure concatenated with a subset of a base key. The vulnerability received a CVSS v3.1 Base Score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. It is classified under CWE-330 (Use of Insufficiently Random Values) (Talos Report).

The vulnerability allows attackers to decrypt sensitive information through network traffic sniffing. This could potentially expose administrator credentials and other confidential data transmitted between the OAS Engine and connected systems (Talos Report).

The vendor has released version 19 of the OAS Platform to address this vulnerability. As a workaround, organizations should restrict access to the OAS Engine configuration server and its traffic to only those hosts specifically authorized for configuration purposes (Talos Report).