CVE-2024-11220 Open Automation Software CVE debrief

Who should care

Organizations running Open Automation Software in industrial control system environments, particularly those with multi-user server deployments where non-administrative users have OAS access. System administrators responsible for OAS deployments and security teams managing ICS/OT environments should prioritize patching.

Technical summary

The vulnerability stems from improper privilege handling when executing report files (.rdlx) in Open Automation Software. A local attacker with valid credentials to OAS services can create a malicious report file containing arbitrary code. When executed, this code runs with SYSTEM-level privileges rather than the attacker's original privilege level, enabling complete system compromise. The attack requires local access to the server machine and valid OAS credentials, but does not require user interaction. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects local attack vector, low complexity, low privileges required, no user interaction, and high impact across confidentiality, integrity, and availability.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Open Automation Software to version V20.00.0076 or later to address the privilege escalation vulnerability
• Restrict local access to OAS server systems to authorized administrators only
• Implement principle of least privilege for OAS service accounts
• Monitor for unauthorized .rdlx file creation or report execution on OAS servers
• Review and audit OAS user permissions to ensure minimal necessary access rights
• Apply defense-in-depth strategies for industrial control systems per CISA guidance

Evidence notes

CISA CSAF advisory ICSA-24-338-03 identifies affected product as Open Automation Software versions prior to V20.00.0076. CVSS 3.1 vector confirms local attack vector with low attack complexity. Vendor fix confirmed in remediation section of source advisory.

Official resources