Industrial VPN Flaws Could Let Attackers Target Critical Infrastructures

Cybersecurity researchers have discovered critical
vulnerabilities in industrial VPN implementations primarily used to
provide remote access to operational technology (OT) networks that
could allow hackers to overwrite data, execute malicious code, and
compromise industrial control systems (ICS).

A new report published^[1] by industrial
cybersecurity company Claroty demonstrates multiple severe
vulnerabilities in enterprise-grade VPN installations, including
Secomea GateManager M2M Server, Moxa EDR-G902, and EDR-G903, and
HMS Networks eWon’s eCatcher VPN client.

These vulnerable products are widely used in field-based
industries such as oil and gas, water utilities, and electric
utilities to remotely access, maintain and monitor ICS and field
devices, including programmable logic controllers (PLCs) and
input/output devices.

According to Claroty researchers, successful exploitation of these
vulnerabilities can give an unauthenticated attacker direct access
to the ICS devices and potentially cause some physical damage.

In Secomean’s GateManager, researchers uncovered multiple
security flaws, including a critical vulnerability (CVE-2020-14500)
that allows overwriting arbitrary data, executing arbitrary code,
or causing a DoS condition, running commands as root, and obtaining
user passwords due to the use of a weak hash type.

GateManager is a widely used ICS remote access server deployed
worldwide as a cloud-based SaaS solution that allows users to
connect to the internal network from the internet through an
encrypted tunnel while avoiding server setups.

The critical flaw, identified as CVE-2020-14500, affects the
GateManager component, the main routing instance in the Secomea
remote access solution. The flaw occurs due to improper handling of
some of the HTTP request headers provided by the client.

This flaw can be exploited remotely and without requiring any
authentication to achieve remote code execution, which could result
in gaining full access to a customer’s internal network, along with
the ability to decrypt all traffic that passes through the
VPN.

In Moxa EDR-G902 and EDR-G903 industrial VPN servers, researchers
discovered a stack-based buffer overflow bug (CVE-2020-14511) in
the system web server that can be triggered just by sending a
specially crafted HTTP request, eventually allowing attackers to
carry out remote code execution without the need for any
credentials.

Claroty researchers also tested HMS Networks’ eCatcher, a
proprietary VPN client that connects to the company’s eWon VPN
device, and found that the product is vulnerable to a critical
stack-based buffer overflow (CVE-2020-14498) that can be exploited
to achieve remote code execution.

All an attacker needs to do is tricking victims into visiting a
malicious website or opening a malicious email containing a
specifically crafted HTML element that triggers the flaw in
eCatcher, eventually allowing attackers to take complete control of
the targeted machine.

All three vendors were notified of the vulnerabilities and
responded quickly to release security fixes that patch their
products’ loopholes.

Secomea users are recommended to update their products to the
newly released GateManager versions 9.2c / 9.2i,
Moxa users need to update EDR-G902/3 to version v5.5 by applying
firmware updates available for the EDR-G902
series and EDR-G903
series, and HMS Networks users are advised to update eCatcher
to Version 6.5.5 or
later.
^[2][3][4][5]