Security researchers from Claroty have discovered multiple vulnerabilities that could be exploited to allow unauthenticated attackers to execute arbitrary code while analyzing a number of popular remote access solutions used for Industrial Control Systems (ICS).
The vulnerabilities the researchers found affect VPN implementations that are used to provide remote access to operational technology (OT) networks.
Following Claroty’s discovery and reporting of a critical vulnerability, tracked as CVE-2020-14511, in Moxa’s EDR-G902 and EDR-G903 secure routers, the team then discovered that products from Secomea and HMS Networks also had severe flaws that could be exploited to gain full access to an organization’s internal network without authentication.
Organizations utilize remote access servers to manage secure connections from outside their local networks. However, if an attacker manages to gain access to them, they can view internal traffic and even reach hosts on the network. In a report on its findings, Claroty provided further insight on why vulnerable remote access servers pose such a severe risk to organizations, saying:
“Vulnerable remote access servers can serve as highly effective attack surfaces for threat actors targeting VPNs. These tools allow clients to connect through an encrypted tunnel to a server. The server then forwards the communication into the internal network. This means the server is a critical asset in the network—as it has one “leg” in the internet, accessible to all, and one ”leg” in the secured, internal network—beyond all perimeter security measures. Thus, gaining access to it allows attackers to not only view internal traffic but also communicate as if they were a legitimate host within the network.”
Remote code execution
Secomea GateManager is a widely used ICS remote access server that is deployed by organizations around the world. However, Sharon Brizinov and Tal Keren from the Claroty Research Team discovered that it contained multiple security flaws including a critical vulnerability, tracked as CVE-2020-14500, that affects the GateManager component.
If exploited, this bug could allow an attacker to achieve remote code execution without any authentication and grant them full access to a customer’s internal network as well as the ability to decrypt all traffic that passes through the VPN. Thankfully though, Claroty notified Secomea of the issue and the firm issued a patch on July 10 to address the vulnerabilities.
Claroty also discovered a vulnerability that could lead to remote code execution in HMS Networks’ eWon VPN. eWon allows remote clients to connect to it using a proprietary VPN client called eCatcher. Brizinov discovered that a vulnerability in eCatcher, tracked as CVE-2020-14498, could allow unauthenticated remote code execution. Just as it did with Secomea, Claroty informed HMS Networks of its discovery and the firm released a patch to address the bug on July 14.
- We’ve also highlighted the best VPN services