Cybersecurity researchers at Claroty have disclosed remote code execution vulnerabilities that's affecting VPN implementations used to provide remote access to operational technology (OT) networks.
And the dedicated remote access solutions are focused on the industrial control system (ICS) industry, which serves mainly maintenance and monitoring for field controllers and devices such as programmable logic controllers (PLCs) and input/output (IO) devices.
These solutions are deployed at the outer layer boundaries of the network and provide access to the field controllers and devices.
How the VPN Flaws Could allow Attackers Target Critical Infrastructures
The researchers discovered multiple security flaws in Secomean's GateManager, including a critical vulnerability marked as CVE-2020-14500 that could allow overwriting of arbitrary data, executing the code or causing a DoS condition, and running commands as root to obtain user passwords.
With the virtual private network (VPN) typically deployed at level 5 of the Purdue model to provide access to the field controllers located at level 1/0 (see image below), exploiting the vulnerabilities can give attackers direct access to the field devices and cause some security damages.
The successful exploitation of the vulnerabilities can give an attacker direct access to the ICS devices and potentially cause damages to organization's infrastructures.
Other vulnerable VPN servers include the Moxa EDR-G902 and EDR-G903 industrial VPN servers was discovered with a stack-based buffer overflow bug (CVE-2020-14511) in the system web server that could be triggered by sending a specially crafted HTTP request, allowing attackers to carry out remote code execution without requiring any credentials.
Also, a proprietary VPN client known as HMS Networks' eCatcher that connects to the company's eWon VPN device was found to be vulnerable to a critical stack-based buffer overflow (CVE-2020-14498) that could be exploited to achieve remote code execution.
How to Mitigate against the VPN Flaws
The various vendors have been duly notified of the vulnerabilities and they responded quickly to release fixes to patch their respective products.
Therefore, it is recommended that users of the products should update to the newly released versions, as for GateManager version 9.2c / 9.2i, Moxa EDR-G902/3 to version v5.5 with firmware updates available for EDR-G902 series and EDR-G903 series, and HMS Networks users should update eCatcher to Version 6.5.5 or later.