Researchers have found critical vulnerabilities in several industrial VPN implementations for remotely accessing operational technology (OT) networks. The exploitation of flaws allows attackers to overwrite data, execute malicious code or commands, cause a DoS condition, etc.
“Exploiting these vulnerabilities can give an attacker direct access to the field devices and cause some physical damage,” Claroty researchers noted.
Flaws were found in Secomea’s GateManager M2M Server, Moxa’s industrial VPN servers with an all-in-one secure router, and HMS Networks’s eCatcher VPN client.
Secomea GateManager contained multiple security flaws:
CVE-2020-14500 — improper neutralization of null byte or null characters. Can be exploited by a remote unauthorized attacker to execute malicious code and gain access to a client's internal network;
CVE-2020-14508 —off-by-one vulnerability, that allows remote code execution or DoS attack;
CVE-2020-14510 — hardcoded telnet credentials;
CVE-2020-14512 — weak hash type that could reveal users’ passwords.
Moxa’s EDR-G902 and EDR-G903 series secure routers/VPN servers sport a stack-based buffer overflow bug (CVE-2020-14511) that could lead to RCE.
A stack buffer overflow issue (CVE-2020-14498) was also discovered in eCatcher HMS Networks, a VPN client for remote performance management of industrial equipment. An attacker could exploit the vulnerability by tricking a victim into visiting a malicious website or opening an email with a specially crafted malicious HTML element.
“By sending socially-engineered emails that embed specifically crafted images capable of exploiting CVE-2020-14498, an attacker could execute code with the highest privileges and completely take over a victim’s machine just by making the victim view the malicious email”, — researchers said.