Critical VPN vulnerabilities pose danger to OT networks

The VPN approach for remote security may not be as secure as previously believed, new research has found.

That's particularly troubling, which is especially unfortunate given on the work-at-home reality brought on by COVID-19, according to a blog post from Claroty.

Remote code execution (RCE) vulnerabilities affecting VPN implementations primarily used to provide remote access to operational technology (OT) networks pose a risk to industries like oil and gas, water utilities and electric utilities that industrial control systems (ICS).

Secure connectivity to remote sites has been even more crucial to energy utilities’ operators and third-party vendors to dial into customer sites and provide maintenance and monitoring.

“Vulnerable remote access servers can serve as highly effective attack surfaces for threat actors targeting VPNs,” the blog stated.

Claroty tested the security posture of a few popular remote-access solutions, including cloud-based, field-based and client-based, and found critical vulnerabilities in all.

Flaws included the improper handling of some of the HTTP request headers provided by the client for the cloud-based Secomea GateManager. This could allow an attacker to remotely exploit a server to achieve RCE without any authentication required.

“If carried out successfully, such an attack could result in a complete security breach that grants full access to a customer’s internal network, along with the ability to decrypt all traffic that passes through the VPN,” researchers said in the blog, adding that Claroty notified Secomea of the CVE-2020-14500 critical vulnerability and a patch has been available since July 16.

Claroty found exploitation of the Moxa EDR-G902/3 industrial VPN servers could result in an attacker could use a specially crafted HTTP request to trigger a stack-based, overflow vulnerability (CVE-2020-14511) in the system web server and carry out RCE without the need for any credentials. In addition, an attacker can provide a large cookie and trigger a stack-based overflow in the system.

Moxa issued a patch on June 9, following being alerted by Claroty on April 13.

Claroty’s analysis of eWon’s eCatcher remote-access ICS solution, resulting in a critical stack-buffer overflow bug (CVE-2020-14498) that can be exploited to achieve RCE by visiting a malicious website or opening a malicious email which contains a specifically crafted HTML element, potentially triggering the vulnerability.

Claroty researchers notified HMS Networks of what it found on May 12, and a patch has been available since July 14.

"When we consider for a moment the risk outlined by the recent joint advisory from the NSA and CISA, they were referencing both OT systems that are directly connected to the Internet as well as those that could be reached by exploited remote access capabilities established for the enterprise and/or their service providers to monitor and manage these systems remotely," said Curtis Simpson, CISO at Armis. "Today's disclosures ultimately mean that a greater number of OT systems that were previously protected behind a firewall and VPN service are now potentially reachable and remotely exploitable by bad actors." He urged affected vendors to "consider the immediate call to action in the NSA and CISA joint advisory, as it very much applies to these exposures."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.