VPN Vulnerabilities Put Industrial Control Systems at RiskClaroty Researchers Find Remote Access Tool Bugs Could Lead to Attacks
Vulnerabilities in some VPNs used to remotely connect to industrial control systems could enable hackers to compromise large industrial organizations, the security firm Claroty reports.
See Also: Case Study: The Road to Zero Trust
The VPNs that contain these security flaws are used by oil and gas companies as well as water and electric utilities, among others, Claroty says. These VPNs enable employees to connect to operation technology and industrial control systems, including programmable logic controllers and input/output devices, according to the company’s new report.
The Claroty researchers also note that the increase in remote work due to the COVID-19 pandemic means more employees and workers are relying on VPNs to connect with networks, access devices and OT systems.
"Apart from connectivity between sites, these solutions are also used to enable remote operators and third-party vendors to dial into customer sites and provide maintenance and monitoring," according to the report. "This kind of access has become especially prioritized in recent months due to the new reality of COVID-19."
The Claroty report says attackers could exploit VPN flaws to run remote code execution, which could give threat actors "direct access to the field devices and cause some physical damage."
The research report comes a week after the U.S. National Security Agency and the Cybersecurity and Infrastructure Security Agency issued a joint warning that sophisticated hackers are increasingly targeting OT systems and critical infrastructure (see: NSA, CISA Warn of Threats to US Critical Infrastructure).
VPNs From Three Companies Affected
The Claroty researchers uncovered vulnerabilities in VPNs from three companies that are widely used within industrial firms and OT systems. Those are: Secomea GateManager, Moxa EDR-G902 and EDR-G903 industrial VPN servers, and eWon VPN from HMS Networks.
Secomea GateManager is widely used in industrial control systems to access servers deployed as cloud-based software-as-a-service tools, according to the report. The researchers discovered multiple security flaws in the GateManager VPN, including one critical vulnerability, tracked now as CVE-2020-14500, which involves improper handling of the HTTP request headers provided by the client.
"This could allow an attacker to remotely exploit GateManager to achieve remote code execution without any authentication required," according to the report. "If carried out successfully, such an attack could result in a complete security breach that grants full access to a customer's internal network, along with the ability to decrypt all traffic that passes through the VPN."
In addition, Claroty published a proof of concept to show how the vulnerability could be exploited.
The vulnerability was originally found and reported to Secomea on May 26, and the company issued a patch on July 10, according to the report.
Moxa VPN Vulnerability
The researchers also found a vulnerability in the Moxa EDR-G902 and EDR-G903 industrial VPN servers, which is tracked as CVE-2020-14511. An attacker could exploit the flaw using a specially crafted HTTP request to trigger a stack-based overflow in the system web server, according to the report.
This can then enable a threat actor to carry out remote code execution within the VPN server without the need for any credentials and possibly cause damage to an OT or industrial control system, the researchers note.
Claroty researchers notified Moxa of this security issue on April 13, and a patch has been available since June 9.
eWon VPN Flaw
In addition, the researchers discovered a vulnerability in the eWon VPN, manufactured by HMS Networks. This VPN allows remote clients to connect to it through a proprietary VPN client called eCatcher. This remote connectivity enables a company to monitor the performance of certain equipment from various locations.
The Claroty researchers found a stack-buffer overflow bug, tracked as CVE-2020-14498, could be triggered through a phishing email or by visiting a malicious website that contains a specifically crafted HTML element. This vulnerability can also lead to remote code execution, which could lead to a system takeover or damage to an OT system.