The ICS-CERT is warning users about a vulnerability in a secure public cloud product from Innominate that enables an attacker to gain valuable configuration data about a target system, information that could be used in future attacks.
The vulnerability is an information disclosure bug in the Innominate mGuard product, which is meant to connect operators to machines in remote plants and industrial facilities via a VPN system. The company, based in Germany, says that mGuard “offers both operators and machine and plant engineering companies a turnkey VPN ecosystem for industrial remote services.” The mGuard product is an IPsec-based VPN and the basic version of it is free.
In its advisory, ICS-CERT says that the vulnerability, while minor in and of itself, could be used as part of a reconnaissance mission for a future, more serious attack.
“Exploitation of this vulnerability could allow a remote unauthenticated user access to release configuration information. While this is a minor vulnerability, it represents a method for further network reconnaissance,” the advisory says.
“An attacker using a carefully crafted URL may download a configuration snapshot without prior authorization using the HTTPS CGI interface. The configuration snapshot contains configuration data, current system information and log files, but no confidential data such as RSA private keys, Pre-Shared keys or passwords. An attacker might gather information about network topology, traffic flows, and other connected systems from this data.”
The kind of network reconnaissance that this vulnerability could facilitate often is a preliminary step in a planned attack on a target. Attackers will spend time gathering practical and technical information on a target network, looking for data on the kind of software the organization uses, who its partners, customers and suppliers are, and looking for soft spots in the infrastructure. Even though the snapshot that the Innominate mGuard vulnerability allows an attacker to get doesn’t include sensitive security information, the configuration and log files can be valuable in a targeted attack.
Users of the vulnerable products, which include firmware versions 4.0.0 through 8.0.2, can upgrade to versions 7.6.4, 8.0.3, 8.1.0 or 8.1.1 to patch the vulnerability.