Show vulnerabilities with patch / with exploit
29 July 2020

RCE vulnerabilities found in industrial VPN solutions


RCE vulnerabilities found in industrial VPN solutions

Researchers have found critical vulnerabilities in several industrial VPN implementations for remotely accessing operational technology (OT) networks. The exploitation of flaws allows attackers to overwrite data, execute malicious code or commands, cause a DoS condition, etc.

“Exploiting these vulnerabilities can give an attacker direct access to the field devices and cause some physical damage,” Claroty researchers noted.

Flaws were found in Secomea’s GateManager M2M Server, Moxa’s industrial VPN servers with an all-in-one secure router, and HMS Networks’s eCatcher VPN client.

Secomea GateManager contained multiple security flaws:

  • CVE-2020-14500 — improper neutralization of null byte or null characters. Can be exploited by a remote unauthorized attacker to execute malicious code and gain access to a client's internal network;

  • CVE-2020-14508 —off-by-one vulnerability, that allows remote code execution or DoS attack;

  • CVE-2020-14510 — hardcoded telnet credentials;

  • CVE-2020-14512 — weak hash type that could reveal users’ passwords.

Moxa’s EDR-G902 and EDR-G903 series secure routers/VPN servers sport a stack-based buffer overflow bug (CVE-2020-14511) that could lead to RCE.

A stack buffer overflow issue (CVE-2020-14498) was also discovered in eCatcher HMS Networks, a VPN client for remote performance management of industrial equipment. An attacker could exploit the vulnerability by tricking a victim into visiting a malicious website or opening an email with a specially crafted malicious HTML element.

“By sending socially-engineered emails that embed specifically crafted images capable of exploiting CVE-2020-14498, an attacker could execute code with the highest privileges and completely take over a victim’s machine just by making the victim view the malicious email”, — researchers said.

Back to the list

Latest Posts

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Iranian APT Oilrig becomes the first group to weaponize DNS-over-HTTPS

Oilrig members have added a new DNSExfiltrator utility to their hacking arsenal.
5 August 2020
Hacker published passwords for over 900 corporate VPN servers

Hacker published passwords for over 900 corporate VPN servers

The list was published on a Russian-speaking hacker forum frequented by different ransomware operators.
5 August 2020
Maze operators published dozens of GBs of data from LG and Xerox

Maze operators published dozens of GBs of data from LG and Xerox

Stolen information may include Xerox support records and source code for the firmware of various LG products.
4 August 2020