Per Swati Khandelwal
VPN failures can allow attackers to target infrastructure.
In this article by The Hackernews, we’ll talk about vulnerability findings. Cybersecurity researchers have discovered critical vulnerabilities in industrial VPN implementations. Since they are used to provide remote access to operational technology (OT) networks, they could also allow hackers to overwrite data, execute malicious code and compromise industrial control systems (ICS).
Vulnerabilities in VPN Installations
A new report published by industrial cybersecurity company Claroty demonstrates several serious enterprise-grade facility (VPN) vulnerabilities, including Secomea GateManager M2M Server, Moxa EDR-G902 and EDR-G903 and the HMS Networks eWon eCatcher VPN client.
These vulnerable products are widely used in field industries, such as oil and gas, water services and electrical services, to remotely access, maintain and monitor ICS and field devices, including programmable logic controllers (PLCs) and input / output devices.
According to Claroty researchers, successful exploitation of these vulnerabilities could give an unauthenticated attacker direct access to ICS devices and potentially cause some physical harm.
In Secomean's GateManager, researchers discovered several security flaws, including a critical vulnerability (CVE-2020-14500) that allows you to overwrite arbitrary data, run arbitrary code or cause a DoS condition, run commands as root and obtain user passwords due the use of a weak hash type.
GateManager is a widely used remote access ICS server, deployed worldwide as a cloud-based SaaS solution that allows users to connect to the internal Internet network through an encrypted tunnel, avoiding server configurations.
Critical failure in the Remote Access solution
The critical flaw, identified as CVE-2020-14500, affects the GateManager component, the main routing instance in the Secomea remote access solution. The failure is due to improper handling of some of the HTTP request headers provided by the client.
This flaw can be exploited remotely and without requiring authentication to ensure remote code execution, which can result in full access to a customer's internal network, in addition to the ability to decrypt all traffic that passes through the VPN.
Remote Code Execution
On the Moxa EDR-G902 and EDR-G903 industrial VPN servers, the researchers discovered a stack-based buffer overflow error (CVE-2020-14511) on the system's web server that can only be triggered by sending a specially crafted HTTP request, eventually allowing attackers to perform remote code execution without the need for credentials.
Claroty researchers also tested HMS Networks' eCatcher, a proprietary VPN client that connects to the company's eWon VPN device, and found that the product is vulnerable to a critical stack-based buffer overflow (CVE-2020-14498) that can be exploited to achieve remote code execution.
All an attacker needs to do is induce victims to visit a malicious website or open a malicious email containing a specially crafted HTML element that triggers the eCatcher failure, allowing attackers to take complete control of the target machine. .
All three vendors were notified of the vulnerabilities and responded quickly to release security patches that address their product breaches.
Secomea users are recommended to update their products to the newly released GateManager versions 9.2c / 9.2i, Moxa users need to update EDR-G902 / 3 to version v5.5, applying firmware updates available for the EDR-G902 and EDR series -G903 series, users and HMS networks are advised to update eCatcher to Version 6.5.5 or later.