Remote code-execution vulnerabilities in virtual private network (VPN) products could impact the physical functioning of critical infrastructure in the oil and gas, water and electric utilities space, according to researchers.
Researchers at Claroty found that VPNs used to provide remote access to operational technology (OT) networks in industrial systems are vulnerable to an array of security bugs, which could give an attacker direct access to field devices and cause physical damage or shut-downs.
The security vulnerabilities affect three vendors specifically, Secomea, Moxa and HMS Networks, and any of their white-label partners.
“These dedicated remote-access solutions are mainly focused on the industrial control system (ICS) industry, and their main use case is to provide maintenance and monitoring to field controllers and devices including programmable logic controllers (PLCs) and input/output (IO) devices,” analysts said in a posting issued on Wednesday. “Apart from connectivity between sites these solutions are also used to enable remote operators and third-party vendors to dial into customer sites and provide maintenance and monitoring for PLCs and other Level 1/0 devices. This kind of access has become especially prioritized in recent months due to the new reality of COVID-19.”
The Flaws
A critical bug in Secomea GateManager (CVE-2020-14500) occurs due to improper handling of HTTP request headers provided by the client. This could allow an attacker to remotely exploit GateManager to achieve remote code execution without any authentication required.
“If carried out successfully, such an attack could result in a complete security breach that grants full access to a customer’s internal network, along with the ability to decrypt all traffic that passes through the VPN,” according to Claroty.
GateManager is an ICS component located at the perimeter of a customer network, which accepts connections from remote sites/clients. It’s deployed worldwide as a cloud-based software-as-a-service solution, both in branded and white-label instances; these cloud servers are multi-tenant but can also be installed and configured as on-premise solutions.
According to Secomea’s website, the GateManager cloud server is designed to “deliver the convenience of fast and easy web access, while avoiding server setups.” However, the cloud-based nature of the product could mean a wider attack surface for cybercriminals looking to exploit this bug, researchers said.
“In recent years we have seen a shift toward cloud-based remote access solutions, which typically enable rapid deployment and reduce cost,” according to Claroty’s post. “Usually, they also offer white-labeled solutions that large-scale companies can purchase to have their own personal cloud while the underlying software is exactly the same. Thus, finding bugs in one instance could mean that all other instances would be affected, too.”
In addition to the critical bug, other flaws found in GateManager include CVE-2020-14508, an off-by-one error, which may allow an attacker to remotely execute arbitrary code or cause a denial-of-service condition. Another (CVE-2020-14510) arises from the use of a hard-coded credential for telnet, allowing an unprivileged attacker to execute commands as root. And CVE-2020-14512 is due to a weak hash type, which may allow an attacker to view user passwords.
Secomea issued patches on July 16 (in GateManager versions 9.2c / 9.2i).
Meanwhile, a stack-based overflow vulnerability, is present in the Moxa EDR-G902/3 industrial VPN server (CVE-2020-14511). This product is meant to provide a secure connection between remote industrial sites and a main data center where the SCADA/data collection server is located.
“Exploiting this security flaw, an attacker could use a specially crafted HTTP request to trigger a stack-based overflow in the system web server and carry out remote code execution without the need for any credentials,” according to the writeup. “An attacker can provide a large cookie and trigger a stack-based overflow in the system.”
Moxa made a patch available on June 9; users should update EDR-G902/3 to version v5.5 by applying the respective firmware updates available for the EDR-G902 series and EDR-G903 series, the vendor said.
And finally, a critical stack-buffer overflow (CVE-2020-14498) is present in the eWon product by HMS Networks.
eWon is a VPN device that allows machine builders and factory owners to remotely monitor the performance of their equipment. Remote clients can connect to it using a proprietary VPN client on their computer, named eCatcher, which is where the vulnerability lies.
“The bug can be exploited to achieve remote code execution [on a target’s computer] by [convincing a user to visit] a malicious website or [open] a malicious email which contains a specifically crafted HTML element which is able to trigger the vulnerability in eCatcher,” explained Claroty researchers.
Gaining control of an authorized user’s computer grants attackers access to that user’s VPN credentials, which they can then use to expand their foothold within an organization’s internal network.
In a proof-of-concept exploit, researchers showed that sending socially engineered emails embedded with specifically crafted images could trigger the vulnerability if the user simply opened and viewed the email. An attacker would then have the highest privileges and be able to completely take over a victim’s machine.
“The exploitation phase occurs immediately when the email client (e.g. Outlook) is loading the malicious images,” according to the post.
HMS Networks issued a patch on July 14 in eCatcher version 6.5.5.
ICS in the Crosshairs
Industrial installations have been ramping up in terms of adversary interest of late. Last week, the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning that cybercriminals could be targeting critical infrastructure across the U.S.
And separately, ICS-CERT issued an advisory on a critical security bug in the Schneider Electric Triconex TriStation and Tricon Communication Module. These safety instrumented system (SIS) controllers are responsible for shutting down plant operations in the event of a problem and act as an automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire. They’ve been targeted in the past, in the TRITON attack of 2017.
“We expect that in the COVID-19 reality of working from home, the increased use of [VPN] platforms will drive increased interest both from the operational side, as they become more process-critical, and from the security side, as they become more common,” according to Claroty. The researchers added, “Denial-of-service attacks on these components of the enterprise infrastructure could potentially emerge as a new tactic used by financially motivated attackers.”
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar.