Remote Code Execution Vulnerabilities in Secomea, Moxa, and HMS eWon VPNs

Security researchers at Claroty published details on multiple pre-auth remote code execution vulnerabilities affecting virtual private network (VPN) implementations primarily used to provide remote access to operational technology (OT) networks. The vulnerabilities could allow unauthenticated attackers to execute arbitrary code.

Individual CVEs referenced in Claroty’s research include CVE-2020-14500, CVE-2020-14508, CVE-2020-14510, CVE-2020-14512, CVE-2020-14511, and CVE-2020-14498. Affected products include Secomea GateManager, Moxa EDR-G902/3 industrial VPN servers, and eWon by HMS Networks.

Recent assessments:

ccondon-r7 at July 30, 2020 3:06am UTC reported:

The exposed target population may be comparatively low to, say, the whole of the internet, but Rapid7 Labs has noted—rightly so—that a couple thousand exposed gateways is still a pretty concerning state of affairs when those gateways are protecting industrial control systems. Pre-authenticated RCE in VPN products guarding ICS/OT networks during a pandemic is, as the kids say, bad news bears—and that’s not to make light, because this ain’t light. The good news is that there are patches out for all these vulns, even though the downtime required to patch and verify effectively might be nothing to sneeze at. Longer analysis and recommendations by smart people here.

Researchers from around Rapid7’s world (and likely others, too!) have said today that there is likely lower-hanging fruit that will be surfaced in the coming days, particularly around nerve-wracking findings such as exposed Telnet administration ports. There’s a lot of well-justified attention on this grouping of vulns, and with that attention comes increased focus on attack opportunities in general…and the stuff we see clogging up our security noise machines won’t be the only stuff well-resourced attackers are paying attention to. Patch as soon as possible (and yep, easier said than done).

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 0