Critical Flaws in Popular ICS Platform Can Trigger RCE


Thread author
Staff member
Malware Hunter
Jul 27, 2015
Critical flaws in a popular platform used by industrial control systems (ICS) that allow for unauthorized device access, remote code execution (RCE) or denial of service (DoS) could threaten the security of critical infrastructure.

Researchers Jared Rittle of Cisco Talos discovered a total of eight vulnerabilities—two of them critical–in the Open Automation Software (OAS) Platform, the most serious of which allows an attacker to execute arbitrary code on a targeted machine, according to a blog post published this week. The flaws affect Open Automation Software OAS Platform, version 16.00.0112. OAS—offered by a company of the same name–makes it easy to transfer data between proprietary devices and applications, including both software and hardware. At its core is what’s called a Universal Data Connector, which allows the “movement and transformation of data for critical business processes like machine learning, data mining, reporting and data visualization,” according to the OAS website.

The OAS Platform is widely used in systems in which a range of disparate devices and software need to communicate, which is why it’s often found in ICS to connect industrial and IoT devices, SCADA systems, network points, and custom apps and APIs, among other software and hardware. Some companies using the platform include Intel, Mack Trucks, the U.S. Navy, JBT AeroTech and Michelin.
The OAS Platform’s presence in these systems is why the flaws can be incredibly dangerous, observed one security professional, noting that these devices are often those responsible for the operation of highly sensitive processes involved in critical industries like utilities and manufacturing.

“An attacker with the ability to disrupt or alter the function of those devices can inflict catastrophic damage on critical infrastructure facilities,” Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel, wrote in an email to Threatpost. What can be especially dangerous in ICS attacks is that they may not be immediately obvious, which can make them hard to detect and allow them to inflict significant damage while operators are none the wiser, he said. Clements cited the now-infamous Stuxnet worm that propagated more than 10 years ago as an example of how much destruction an ICS threat can cause if it flies under the radar.