CVE-2023-35124: 
Open Automation Software vulnerability analysis and mitigation

An information disclosure vulnerability (CVE-2023-35124) was discovered in the OAS Engine configuration management functionality of Open Automation Software OAS Platform v18.00.0072. The vulnerability was disclosed on September 5, 2023, and affects the configuration management component of the platform. The vulnerability allows an authenticated attacker to potentially disclose sensitive information through specially crafted network requests (Talos Report).

The vulnerability exists in the OAS Configuration tool, which exposes functionality to load saved configurations from disk to authenticated application users. When a file that doesn't conform to the expected configuration format is selected through the remote file browser, the first 0x11 bytes of the file are leaked in the response error message. The vulnerability is exploited using a String protobuf as part of an authenticated request to specify the filename. The CVSS v3.1 base score is 3.1 (LOW) with vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-209 (Information Exposure Through an Error Message) (Talos Report).

The vulnerability can lead to the disclosure of sensitive information through error messages. When exploited, the first 17 bytes (0x11) of non-conforming configuration files can be exposed to authenticated users, potentially revealing sensitive data (Talos Report).

The vendor has released version v19 to address this vulnerability. As additional mitigation measures, it is recommended to restrict access to the OAS Engine configuration server and its traffic to only those hosts authorized for configuration. Furthermore, organizations should restrict read/write access for the OAS user to only locations that can safely be exposed to anyone on the network (Talos Report).