Industrial VPN Security & Flaws that could lead to Critical Infrastructure Failure

  • What is the difference between VPN and Industrial VPN? Why do we need a VPN?

A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across a VPN may therefore benefit from the functionality, security, and management of the private network. Encryption is common, although not an inherent, part of a VPN connection.

 

Enter the industrial VPN. Ordinary VPNs (virtual private networks) create a protected network through which data can pass, but which prevents spying and hacking attempts to preserve privacy, usually through a combination of firewalls and encryption. The VPN creates a safe “tunnel” for data to pass through. These networks have a lot of applications for both business and personal users: The industrial version of a VPN simply expands the concept to apply to any equipment that can also connect to a network, especially equipment that may otherwise be difficult to protect, like devices being used out in the field. While industrial VPNs can come in a variety of shapes, they typically require a specialized router. This router device that’s designed to facilitate connections across a broad area – say, a warehouse or factory. These routers usually have multiple connection options for networks so that companies can choose the connection option that works best for them. However, wireless connections of varying kinds tend to be the most popular, especially if companies have a broad array of devices they need to connect. Importantly, these industrial VPNs are also typically managed via a provider, usually through cloud services. That means that data can be collected and monitored from their own dedicated servers, taking a lot of the work of the hands of the industrial company itself. This is a boon to companies that need a robust solution like this, but aren’t ready to set up and manage their own servers or VPN

Surfing the web or transacting on an unsecured Wi-Fi network means you could be exposing your private information and browsing habits. That’s why a virtual private network, better known as a VPN, should be a must for anyone concerned about their online security and privacy. Think about all the times you’ve been on the go, reading emails while in line at the coffee shop, or checking your bank account while waiting at the doctor’s office. Unless you were logged into a private Wi-Fi network that requires a password, any data transmitted during your online session could be vulnerable to eavesdropping by strangers using the same network. The encryption and anonymity that a VPN provides, helps in protecting your online activities: sending emails, shopping online, or paying bills. VPNs also help keep your web browsing anonymous.

 

  • Flaws leading to the threat of critical infrastructure failure:

Cybersecurity researchers have discovered critical vulnerabilities in industrial VPN implementations primarily used to provide remote access to operational technology (OT) networks that could allow hackers to overwrite data, execute malicious code, and compromise industrial control systems (ICS).

Demonstration of multiple severe vulnerabilities in enterprise-grade VPN installations, including Secomea GateManager M2M Server, Moxa EDR-G902, and EDR-G903, and HMS Networks eWon's eCatcher VPN client. These vulnerable products are widely used in field-based industries such as oil and gas, water utilities, and electric utilities to remotely access, maintain and monitor ICS and field devices, including programmable logic controllers (PLCs) and input/output devices.

In Secomean's GateManager, researchers uncovered multiple security flaws, including a critical vulnerability (CVE-2020-14500) that allows overwriting arbitrary data, executing arbitrary code, or causing a DoS condition, running commands as root, and obtaining user passwords due to the use of a weak hash type. The critical flaw, identified as CVE-2020-14500, affects the GateManager component, the main routing instance in the Secomea remote access solution. The flaw occurs due to improper handling of some of the HTTP request headers provided by the client. This flaw can be exploited remotely and without requiring any authentication to achieve remote code execution, which could result in gaining full access to a customer's internal network, along with the ability to decrypt all traffic that passes through the VPN.

Researchers also tested HMS Networks' eCatcher, a proprietary VPN client that connects to the company's eWon VPN device, and found that the product is vulnerable to a critical stack-based buffer overflow (CVE-2020-14498) that can be exploited to achieve remote code execution.

All an attacker needs to do is tricking victims into visiting a malicious website or opening a malicious email containing a specifically crafted HTML element that triggers the flaw in eCatcher, eventually allowing attackers to take complete control of the targeted machine

Recommendations

It is recommended to consider the following best practices:

  • Notify vendors of the vulnerabilities and request them to release security fixes that patch their products' loopholes.
  • Secomea users are recommended to update their products to the newly released GateManager versions 9.2c / 9.2i.
  • Moxa users need to update EDR-G902/3 to version v5.5 by applying firmware updates available for the EDR-G902 series and EDR-G903 series.
  • HMS Networks users are advised to update eCatcher to Version 6.5.5 or later.
  • Tunnel endpoints must be authenticated before secure VPN tunnels can be established. User-created remote-access VPNs may use passwords, biometrics, two-factor authentication or other cryptographic methods. Network-to-network tunnels often use passwords or digital certificates. They permanently store the key to allow the tunnel to establish automatically, without intervention from the administrator.