Does Scada in Zenon Web Client 8.20 share the same vulnerability as Scada used in Open Automation Software Platform?

Does Scada in Zenon Web Client 8.20 share the same vulnerability as Scada used in Open Automation Software Platform?

The reason I ask is that I read this on your website about the software: "Originally developed as HMI/SCADA software, the entire zenon software platform covers significantly more application areas.".

Open Automation Software Platform (OAS), released by Cisco Talos [1]. Out of
the eight assessed vulnerabilities, two (namely CVE-2022-26082 and
CVE-2022-26833) have received a CVSS score of 9.1 and 9.4. These
vulnerabilities affect all OAS software prior to 16.00.0112.

The most critical one, CVE-2022-26833, allows unauthenticated use of the REST
API by sending specially crafted HTTP requests. The attacker is able to
authenticate themselves using blank credentials sent to the vulnerable
endpoint, and upon receiving a client ID as well as a functioning token, send
requests to the REST API [2].

CVE-2022-26082, with a CVSS score of 9.1, lets an attacker execute arbitrary
code on the targeted OAS platform. With a series of configuration messages, the
threat actor can upload a file of their choice to the underlying system, as
permissible by the 'oas-engine' service owner user [3].

Other listed vulnerabilities are said to assist in information disclosure
(CVE-2022-26007, CVE-2022-27169 & CVE-2022-26067), arbitrary configuration
changes (CVE-2022-26303 & CVE-2022-26043) and Denial of Service
(CVE-2022-26026).


This is a migrated post! Originally posted on 01.06.2022 by user curiousgeorge. Please be aware that information can be outdated.

    Disclaimer

    This document governs the use of our Community Forum. By registering and using the platform, you accept these conditions.

    The COPA-DATA Community Forum serves to encourage the exchange of information and experience about the zenon software between forum users respectively zenon users.

    Please mind that any published information on the Community Forum is the subjective opinion and view based on the experience and the level of knowledge of the author. COPA-DATA does not overtake any responsibility for the content and the accuracy of the shared information.

    Users of the Community Forum are encouraged to share only well-founded experiences and to point out any risks associated with the implementation of proposed solutions to problems. COPA-DATA at its absolute discretion, reserves the right to moderate the forum. In this connection COPA-DATA may remove any information containing false facts, potentially dangerous solutions, bad language or content that may insult, degrade or discriminate others. COPA-DATA may block a non-complying user from forum access if the user violated this provision.

    COPA-DATA reserves the right to change this document from time to time at own discretion.


    Ing. Punzenberger COPA-DATA GmbH
    Karolingerstraße 7b · 5020 Salzburg · Austria
    www.copadata.com