CVE-2023-34998: 
Open Automation Software vulnerability analysis and mitigation

An authentication bypass vulnerability (CVE-2023-34998) was discovered in the OAS Engine functionality of Open Automation Software OAS Platform v18.00.0072. The vulnerability was disclosed on September 5, 2023, by Cisco Talos. The OAS Platform is commonly found in industrial operations and enterprise environments, enabling communication between various devices including PLCs, servers, files, databases, and IoT platforms (Talos Report, SecurityWeek).

The vulnerability exists in the OAS Platform's Engine configuration management functionality. When a privileged request is sent by a legitimate administrator to the OAS Engine, the traffic is sent unencrypted across the wire. The credentials are wrapped in a UEP protobuf and included as a field inside the request. The vulnerability has a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H and is classified under CWE-319 (Cleartext Transmission of Sensitive Information) ([Talos Report](https://talosintelligence.com/vulnerabilityreports/TALOS-2023-1770)).

A successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the underlying system. The captured UEP protobuf remains valid until the associated user account is deleted, potentially enabling long-term unauthorized access. When combined with user creation and save configuration functionality, attackers could gain persistent access to the system ([Talos Report](https://talosintelligence.com/vulnerabilityreports/TALOS-2023-1770)).

Access to the OAS Engine configuration server and its traffic should be restricted to exclusively those hosts authorized for configuration. The vulnerability has been fixed in version 19 of the OAS Platform, which can be downloaded from the vendor's website (Talos Report).