Getting from 5 to 0: VPN Security Flaws Pose Cyber Risk to Organizations with Remote OT Personnel
By The Claroty Research Team
July 28, 2020
In recent months, Claroty researchers have discovered remote code execution vulnerabilities affecting virtual private network (VPN) implementations primarily used to provide remote access to operational technology (OT) networks. These dedicated remote access solutions are mainly focused on the industrial control system (ICS) industry, and their main use case is to provide maintenance and monitoring to field controllers and devices including programmable logic controllers (PLCs) and input/output (IO) devices. Such solutions are typically deployed at the outer layer boundaries of the network at level 5 of the Purdue model and provide access to the field controllers and devices located at level 1/0. Exploiting these vulnerabilities can give an attacker direct access to the field devices and cause some physical damage.
The vulnerable products are widely used in field-based industries such as oil & gas, water utilities, and electric utilities, where secure connectivity to remote sites is critical. Apart from connectivity between sites these solutions are also used to enable remote operators and third-party vendors to dial into customer sites and provide maintenance and monitoring for PLCs and other Level 1/0 devices. This kind of access has become especially prioritized in recent months due to the new reality of COVID-19.
To better understand the risk posed by the exploitation of these vulnerabilities and what can be done to defend against such attacks, we extensively tested the security posture of a few popular remote access solutions. Our findings are as follows:
Owning the Cloud (Secomea CVE-2020-14500)
Vulnerable remote access servers can serve as highly effective attack surfaces for threat actors targeting VPNs. These tools allow clients to connect through an encrypted tunnel to a server. The server then forwards the communication into the internal network. This means the server is a critical asset in the network—as it has one “leg” in the internet, accessible to all, and one ”leg” in the secured, internal network—beyond all perimeter security measures. Thus, gaining access to it allows attackers to not only view internal traffic but also communicate as if they were a legitimate host within the network.
Furthermore, in recent years we have seen a shift toward cloud-based remote access solutions, which typically enable rapid deployment and reduce cost. Usually, they also offer white-labeled solutions that large-scale companies can purchase to have their own personal cloud while the underlying software is exactly the same. Thus, finding bugs in one instance could mean that all other instances would be affected, too.
Secomea GateManager is a widely used ICS remote access server deployed worldwide as a cloud-based SaaS solution with many general-purpose and white-label instances deployed. According to Secomea’s website the GateManager cloud server is designed to deliver the convenience of fast and easy web access, while avoiding server setups.
Sharon Brizinov and Tal Keren from our Claroty Research Team discovered that it contained multiple security flaws, including a critical vulnerability (CVE-2020-14500) that affects the GateManager component, which is the main routing instance in the Secomea remote access solution. The GateManager component is located at the perimeter of the customer network exposed to external networks such as the internet and accepts the connection from remote sites/clients. These cloud servers are multi-tenant but can also be installed and configured as on-premise solutions.
The discovered bug occurs due to improper handling of some of the HTTP request headers provided by the client. This could allow an attacker to remotely exploit GateManager to achieve remote code execution without any authentication required. If carried out successfully, such an attack could result in a complete security breach that grants full access to a customer’s internal network, along with the ability to decrypt all traffic that passes through the VPN.
Claroty researchers first notified Secomea of this issue on May 26, 2020 and a patch has been available since July 10, 2020.
Owning the Field (Moxa CVE-2020-14511)
One of the big challenges of the ICS industry is the secure connection between remote sites and the main data center where the SCADA/data collection server is located. In recent times we have seen multiple events where internet-facing ICS devices have been accessed directly without the need for any credentials; this threat has recently been addressed in a CISA alert. To avoid such scenarios, multiple ICS VPN solutions exist that are able to make these remote connections between site and central in a secure manner.
Tal Keren from our Claroty Research Team also tested Moxa EDR-G902/3 industrial VPN servers and discovered a stack-based overflow vulnerability (CVE-2020-14511) that we detailed in a recent blog post. Exploiting this security flaw, an attacker could use a specially crafted HTTP request to trigger a stack-based overflow in the system web server and carry out remote code execution without the need for any credentials.
Claroty researchers first notified Moxa of this issue on April 13, 2020, and a patch has been available since June 9, 2020.
Owning the Client (HMS eWon CVE-2020-14498)
Another prevalent attack surface for targeting VPNs is the client. Gaining control of an authorized user’s computer grants attackers access to that user’s VPN credentials, as well as those for other employee accounts that could enable the adversary to penetrate and further expand their foothold within the organization’s internal network without needing to tackle the server instance.
The eWon product by HMS Networks offers connectivity solutions that allow machine builders and factory owners to remotely monitor the performance of their equipment. In other words, eWon is a VPN device that remote clients can connect to using a proprietary VPN client named eCatcher. Sharon Brizinov from our Claroty Research Team conducted testing on eWon’s eCatcher remote access solution for industrial control systems. In doing so, he discovered a critical stack-buffer overflow bug (CVE-2020-14498) that can be exploited to achieve remote code execution by visiting a malicious website or opening a malicious email which contains a specifically crafted HTML element which is able to trigger the vulnerability in eCatcher.
As the attack vector for our POC, we chose to demonstrate exploitation of vulnerability through phishing. By sending socially engineered emails that embed specifically crafted images capable of exploiting CVE-2020-14498, an attacker could execute code with the highest privileges and completely take over a victim’s machine just by making the victim view the malicious email. The exploitation phase occurs immediately when the email client (e.g. Outlook) is loading the malicious images.
Claroty researchers first notified HMS Networks of this issue on May 12, 2020 and a patch has been available since July 14, 2020.
The remote access trend
In recent weeks we have seen numerous vulnerabilities published on popular remote access solutions. High-profile examples include: CVE-2020-2034 and CVE-2020-5902. We expect that in the COVID-19 reality of working from home, the increased use of these platforms will drive increased interest both from the operational side, as they become more process-critical, and from the security side, as they become more common. Denial-of-service (DoS) attacks on these components of the enterprise infrastructure could potentially emerge as a new tactic used by financially motivated attackers.
Advanced persistent threat (APT) activity is on the rise, and we have seen this activity shift from wide-reaching, largely indiscriminate attacks to highly specific targeted attacks. OT has been a significant focus in recent months as a key target for ransomware groups, and such attacks have been primarily focused on the information technology (IT) components of OT networks, such as human machine interfaces (HMIs) and engineering workstations.
Leveraging vulnerabilities in edge devices such as those from Secomea, eWon, and Moxa can provide these groups with direct access to ICS devices and key target areas, which when taken over could potentially yield the most benefit for these attackers’ business model. A good example of attackers using this exact tactic is the recent Honda attack.
Claroty has been focusing on client-side attacks due to the increase in APT activity targeting OT networks leveraging phishing campaigns as an attack vector. The main focus of our research in this area is to find vulnerabilities and exploits targeting OT-relevant clients, as shown here through attacks on VPN clients. Nadav Erez from our Claroty Research Team has recently done additional research in these areas and will be presenting his findings during his ICS Village talk at DEF CON 2020, showing how these types of phishing campaigns may also abuse ICS-specific file types to specifically target OT engineers.
To conclude, we would like to thank the vendors of the products with the reported vulnerabilities for their quick response time. Such products and the nature of their deployment requires a swift response to enable the effective mitigation of risks posed by these types of attacks.
We would also like to emphasize that these vulnerabilities reinforce the unique risks inherent to OT remote access. While the security features of most VPNs make them generally well-suited and secure for IT remote access, such features tend to be less comprehensive than the stringent role- and policy-based administrative controls and monitoring capabilities required to secure OT remote access connections and minimize the risks introduced by employees and third-parties.
Advisories have been issued for the following VPN-related CVEs discovered by Claroty researchers:
Secomea’s GateManager CVEs
Secomea has released new GateManager versions 9.2c / 9.0i to mitigate the reported vulnerabilities. The most up-to-date release at the time of this can be found here.
IMPROPER NEUTRALIZATION OF NULL BYTE OR NULL CHARACTER CWE-158
An attacker can send a negative value and overwrite arbitrary data.
OFF-BY-ONE ERROR CWE-193
The affected product is vulnerable to an off-by-one error, which may allow an attacker to remotely execute arbitrary code or cause a denial-of-service condition.
USE OF HARD-CODED CREDENTIALS CWE-798
The affected product contains a hard-coded credential for telnet, allowing an unprivileged attacker to execute commands as root.
USE OF PASSWORD HASH WITH INSUFFICIENT COMPUTATIONAL EFFORT CWE-916
The affected product uses a weak hash type, which may allow an attacker to view user passwords.
Moxa’s EDR-G902/3 CVEs
Moxa recommends users update EDR-G902/3 to version v5.5 by applying the respective firmware updates available for the EDR-G902 series and EDR-G903 series.
STACK-BASED BUFFER OVERFLOW CWE-121
The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code.