sb-nz logo
Story image

VPN vulnerabilities pose serious risk to OT Networks

30 Jul 2020

Researchers from cybersecurity firm Claroty has uncovered vulnerabilities in VPN servers and clients, including Seacomea GateManager, Moxa industrial VPN server, and the HMS eWon.

According to researchers, these products are widely used in industries such as water, oil and gas, and electricity providers and other places where remote sites demand secure connectivity.

These industries use VPNs to enable remote workers and third parties to connect to customer sites in order to provide monitoring or maintenance to programmable logic controllers, as well as other devices.

The vulnerabilities could enable attackers to take control of VPN servers and clients to gain access to internal, secure networks. Attackers can also slip past perimeter security, leading to a complete security breach.

Furthermore, attackers could potentially decrypt all traffic passing through the organisation’s VPN. 

Claroty researchers share further details about the products and associated vulnerabilities. All respective vendors have now patched the vulnerabilities in their products.

“Claroty says these products are typically offered as white-labelled solutions that companies can purchase for their own use, but because the underlying software is the same in all variations, the vulnerabilities would be common to all.”

Secomea GateManager - CVE-2020-14500

The bug results from improper handling of some of the HTTP request headers provided by the client. Claroty says it could result in a complete security breach that grants full access to a customer’s internal network, along with the ability to decrypt all traffic passing through the VPN.

Moxa industrial VPN server - CVE-2020-14511

Claroty says these industrial VPN routers are widely used across critical infrastructure sectors such as manufacturing, energy and transportation and often exposed to the Internet. An attacker could use a specially crafted HTTP request to trigger a stack-based overflow in the system web server and carry out remote code execution without the need for any credentials.

HMS eWon - CVE-2020-14498

eWon is a VPN device that remote clients connect to using a proprietary VPN client called eCatcher, which runs on a PC. Attackers can send a phishing email to the address associated with that PC and compromise eCatcher. If a user opens the email, the attacker can run code with highest privilege and then compromise the machine.
 
“With the growth in remote working, Claroty expects to see increased use of these platforms and increased use for security-critical applications. It predicts that these and other vulnerabilities could be exploited by financially motivated attackers to launch DDoS attacks,” the company concludes.