Industrial VPN or basically a a VPN Server is installed to protect the network, However, just imagine if that layer of security is hacked then what would happen? Recently cyber security researchers have found vulnerabilities in the VPN server implementations which are in fact extremely critical.
These new found vulnerabilities primarily allows the attacker to provide the remote access to operational technology networks, that could allow that attacker to override the data, execute the whatever malicious codes the attacker wants and as the overall result compromise the Industrial control systems.
This was published in the report created by Industrial cyber security company “Claroty“, which demonstrates the multiple severe vulnerabilities in the “Enterprise grade VPN installations” which includes Secomea GateManager M2M Server, Moxa EDR-G902, and EDR-G903, and HMS Networks eWon’s eCatcher VPN client.
These vulnerable Industrial VPN installations are widely used in field base industries such as Electric, Oil, Water and Gas industry, thus allowing the attacker to remotely access and monitor the Industrial control systems (ICS) and field devices, including the Input/Output devices and even the PLCs which are also known as Programmable logic controllers.
What the Claroty Researchers say about Industrial VPN Vulnerability
Claorty researchers mentions that if these vulnerabilities are successfully exploited by any anonymous attacker, then the attacker can get unauthenticated direct access to Industrial control systems and potentially incur damages that are severe.
On the other hand Secomea’s GateManager, has multiple security flaws, which even includes a critical Vulnerability CVE-2020-14500 that can cause following problems:-
- Executing Arbitrary code
- Overwriting Arbitrary Data
- Launching a DOS Attack
- Running commands as Root user or Administrator
- Obtaining user passwords because of the weak “Hash Encryption” algorithm
GateManager is widely used as ICS remote access server and is deployed worldwide usually as a cloud-based SaaS solution, which allows users to connect to the internal network from the internet with the help of encrypted tunnel while avoiding the server setups.
This vulnerability CVE-2020-14500 affects the main routing configuration the remote access solution. The flaw occurs because the HTTP headers provided by the client are not properly handled. More over this allows attacker to exploit the vulnerability remotely and once exploited it doesn’t require user authentication, thus giving the chance to attacker to perform remote code executions.
This will result in attacker gaining complete access of the internal network and thus ultimately allowing the attacker to decrypt all the traffic that passes through Industrial VPN or a VPN Server.
Moxa EDR-G902 and EDR-G903 industrial VPN has a stack-based buffer overflow bug also known as the vulnerability CVE-2020-14511.
This bug allows attacker to trigger the “Web Server” by just sending a “Specially created HTTP request”. Thus this allows the attacker an unauthenticated access and ultimately he/she can carry out remote code execution without any need for the admin credentials.
The researchers even tested HMS Networks’ eCatcher a Industrial VPN Client that connects to the eWon VPN device, and found that it t is vulnerable to a critical stack-based buffer overflow (CVE-2020-14498) that can be exploited to achieve remote code execution.
Simplification of Severeness
All these vulnerabilities mentioned above allows the attacker to execute the code remotely almost without the need for any authentication, so basically the attacker can just trick the users or employees to visit a malicious link that usually comes in an email or the attacker can just trick them to visit a particular website which is created by the attacker only.
Once the user or employee visit that particular link or website, a specially crafted HTML code can just trigger the flaw in the HMS Network’s eCatcher and this could allow the attacker to gain complete access to the system which the attacker targeted.
Preventive Measures
As soon as the vulnerabilities were reported by Claroty the three product vendors have released the necessary security fix and patches.
Secomea users need to update their products to the newly released GateManager versions 9.2c / 9.2i, Moxa users need to update EDR-G902/3 to version v5.5 by applying firmware updates available for the EDR-G902 series and EDR-G903 series, and HMS Networks users need to update eCatcher to Version 6.5.5 or later.