[](<https://thehackernews.com/images/-DIxG0UHcfh4/XyFZeEYVwsI/AAAAAAAA3GM/5R4wqzI2Ho4DirMFoQiveRpOx5gvYmnYACLcBGAsYHQ/s728-e100/hacking-vpn-server.jpg>)
Cybersecurity researchers have discovered critical vulnerabilities in industrial VPN implementations primarily used to provide remote access to operational technology (OT) networks that could allow hackers to overwrite data, execute malicious code, and compromise industrial control systems (ICS).
A new report [published](<https://www.claroty.com/2020/07/28/vpn-security-flaws/>) by industrial cybersecurity company Claroty demonstrates multiple severe vulnerabilities in enterprise-grade VPN installations, including Secomea GateManager M2M Server, Moxa EDR-G902, and EDR-G903, and HMS Networks eWon's eCatcher VPN client.
These vulnerable products are widely used in field-based industries such as oil and gas, water utilities, and electric utilities to remotely access, maintain and monitor ICS and field devices, including programmable logic controllers (PLCs) and input/output devices.
According to Claroty researchers, successful exploitation of these vulnerabilities can give an unauthenticated attacker direct access to the ICS devices and potentially cause some physical damage.
In Secomean's GateManager, researchers uncovered multiple security flaws, including a critical vulnerability (CVE-2020-14500) that allows overwriting arbitrary data, executing arbitrary code, or causing a DoS condition, running commands as root, and obtaining user passwords due to the use of a weak hash type.
GateManager is a widely used ICS remote access server deployed worldwide as a cloud-based SaaS solution that allows users to connect to the internal network from the internet through an encrypted tunnel while avoiding server setups.
[](<https://thehackernews.com/images/-O_Hz7njxMOE/XyFYlCLe5bI/AAAAAAAA3F8/H3iGxZ0tbCEtvo1JucKdrRKl66WSIT7DQCLcBGAsYHQ/s728-e100/hacking-vpns.jpg>)
The critical flaw, identified as CVE-2020-14500, affects the GateManager component, the main routing instance in the Secomea remote access solution. The flaw occurs due to improper handling of some of the HTTP request headers provided by the client.
This flaw can be exploited remotely and without requiring any authentication to achieve remote code execution, which could result in gaining full access to a customer's internal network, along with the ability to decrypt all traffic that passes through the VPN.
In Moxa EDR-G902 and EDR-G903 industrial VPN servers, researchers discovered a stack-based buffer overflow bug (CVE-2020-14511) in the system web server that can be triggered just by sending a specially crafted HTTP request, eventually allowing attackers to carry out remote code execution without the need for any credentials.
Claroty researchers also tested HMS Networks' eCatcher, a proprietary VPN client that connects to the company's eWon VPN device, and found that the product is vulnerable to a critical stack-based buffer overflow (CVE-2020-14498) that can be exploited to achieve remote code execution.
All an attacker needs to do is tricking victims into visiting a malicious website or opening a malicious email containing a specifically crafted HTML element that triggers the flaw in eCatcher, eventually allowing attackers to take complete control of the targeted machine.
All three vendors were notified of the vulnerabilities and responded quickly to release security fixes that patch their products' loopholes.
Secomea users are recommended to update their products to the newly [released](<https://kb.secomea.com/helpdesk/KB/View/25546482-downloads-gatemanager>) GateManager versions 9.2c / 9.2i, Moxa users need to update EDR-G902/3 to version v5.5 by applying firmware updates available for the [EDR-G902 series](<https://www.moxa.com/en/support/product-support/software-and-documentation/search?psid=48053>) and [EDR-G903 series](<https://www.moxa.com/en/support/product-support/software-and-documentation/search?psid=48063>), and HMS Networks users are advised to update eCatcher to [Version 6.5.5](<https://ewon.biz/technical-support/pages/all-downloads>) or later.
Found this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter __](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.
{"id": "THN:13D952B7F174C224BB03A3F05C132DC1", "vendorId": null, "type": "thn", "bulletinFamily": "info", "title": "Industrial VPN Flaws Could Let Attackers Target Critical Infrastructures", "description": "[](<https://thehackernews.com/images/-DIxG0UHcfh4/XyFZeEYVwsI/AAAAAAAA3GM/5R4wqzI2Ho4DirMFoQiveRpOx5gvYmnYACLcBGAsYHQ/s728-e100/hacking-vpn-server.jpg>)\n\nCybersecurity researchers have discovered critical vulnerabilities in industrial VPN implementations primarily used to provide remote access to operational technology (OT) networks that could allow hackers to overwrite data, execute malicious code, and compromise industrial control systems (ICS). \n \nA new report [published](<https://www.claroty.com/2020/07/28/vpn-security-flaws/>) by industrial cybersecurity company Claroty demonstrates multiple severe vulnerabilities in enterprise-grade VPN installations, including Secomea GateManager M2M Server, Moxa EDR-G902, and EDR-G903, and HMS Networks eWon's eCatcher VPN client. \n \nThese vulnerable products are widely used in field-based industries such as oil and gas, water utilities, and electric utilities to remotely access, maintain and monitor ICS and field devices, including programmable logic controllers (PLCs) and input/output devices. \n \nAccording to Claroty researchers, successful exploitation of these vulnerabilities can give an unauthenticated attacker direct access to the ICS devices and potentially cause some physical damage. \n \nIn Secomean's GateManager, researchers uncovered multiple security flaws, including a critical vulnerability (CVE-2020-14500) that allows overwriting arbitrary data, executing arbitrary code, or causing a DoS condition, running commands as root, and obtaining user passwords due to the use of a weak hash type. \n \nGateManager is a widely used ICS remote access server deployed worldwide as a cloud-based SaaS solution that allows users to connect to the internal network from the internet through an encrypted tunnel while avoiding server setups. \n \n\n\n[](<https://thehackernews.com/images/-O_Hz7njxMOE/XyFYlCLe5bI/AAAAAAAA3F8/H3iGxZ0tbCEtvo1JucKdrRKl66WSIT7DQCLcBGAsYHQ/s728-e100/hacking-vpns.jpg>)\n\n \nThe critical flaw, identified as CVE-2020-14500, affects the GateManager component, the main routing instance in the Secomea remote access solution. The flaw occurs due to improper handling of some of the HTTP request headers provided by the client. \n \nThis flaw can be exploited remotely and without requiring any authentication to achieve remote code execution, which could result in gaining full access to a customer's internal network, along with the ability to decrypt all traffic that passes through the VPN. \n \nIn Moxa EDR-G902 and EDR-G903 industrial VPN servers, researchers discovered a stack-based buffer overflow bug (CVE-2020-14511) in the system web server that can be triggered just by sending a specially crafted HTTP request, eventually allowing attackers to carry out remote code execution without the need for any credentials. \n \nClaroty researchers also tested HMS Networks' eCatcher, a proprietary VPN client that connects to the company's eWon VPN device, and found that the product is vulnerable to a critical stack-based buffer overflow (CVE-2020-14498) that can be exploited to achieve remote code execution. \n \nAll an attacker needs to do is tricking victims into visiting a malicious website or opening a malicious email containing a specifically crafted HTML element that triggers the flaw in eCatcher, eventually allowing attackers to take complete control of the targeted machine. \n \nAll three vendors were notified of the vulnerabilities and responded quickly to release security fixes that patch their products' loopholes. \n \nSecomea users are recommended to update their products to the newly [released](<https://kb.secomea.com/helpdesk/KB/View/25546482-downloads-gatemanager>) GateManager versions 9.2c / 9.2i, Moxa users need to update EDR-G902/3 to version v5.5 by applying firmware updates available for the [EDR-G902 series](<https://www.moxa.com/en/support/product-support/software-and-documentation/search?psid=48053>) and [EDR-G903 series](<https://www.moxa.com/en/support/product-support/software-and-documentation/search?psid=48063>), and HMS Networks users are advised to update eCatcher to [Version 6.5.5](<https://ewon.biz/technical-support/pages/all-downloads>) or later. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2020-07-29T11:12:00", "modified": "2020-07-29T11:12:17", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://thehackernews.com/2020/07/industrial-vpn-security.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2020-14498", "CVE-2020-14500", "CVE-2020-14511"], "immutableFields": [], "lastseen": "2022-05-09T12:40:14", "viewCount": 131, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:10EA1EFD-6C95-4B64-9784-A817B1822004", "AKB:9ECC903B-3693-4337-88B5-F9280385C42C", "AKB:F70DFA93-8312-4DDA-804A-ADA91F8A8DD5"]}, {"type": "cve", "idList": ["CVE-2020-14498", "CVE-2020-14500", "CVE-2020-14511"]}, {"type": "ics", "idList": ["ICSA-20-196-02", "ICSA-20-210-01", "ICSA-20-210-03"]}, {"type": "threatpost", "idList": ["THREATPOST:3C7643A12EE5AC251B015BA884447D7B"]}], "rev": 4}, "score": {"value": 1.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:10EA1EFD-6C95-4B64-9784-A817B1822004", "AKB:9ECC903B-3693-4337-88B5-F9280385C42C", "AKB:F70DFA93-8312-4DDA-804A-ADA91F8A8DD5"]}, {"type": "cve", "idList": ["CVE-2020-14511"]}, {"type": "threatpost", "idList": ["THREATPOST:3C7643A12EE5AC251B015BA884447D7B"]}]}, "exploitation": null, "vulnersScore": 1.3}, "_state": {"dependencies": 1659879600, "score": 1659743467}, "_internal": {}}
{"attackerkb": [{"lastseen": "2021-07-20T20:11:21", "description": "Security researchers at Claroty [published details](<https://www.claroty.com/2020/07/28/vpn-security-flaws/>) on multiple pre-auth remote code execution vulnerabilities affecting virtual private network (VPN) implementations primarily used to provide remote access to operational technology (OT) networks. The vulnerabilities could allow unauthenticated attackers to execute arbitrary code.\n\nIndividual CVEs referenced in Claroty\u2019s research include CVE-2020-14500, CVE-2020-14508, CVE-2020-14510, CVE-2020-14512, CVE-2020-14511, and CVE-2020-14498. Affected products include Secomea GateManager, Moxa EDR-G902/3 industrial VPN servers, and eWon by HMS Networks.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at July 30, 2020 3:06am UTC reported:\n\nThe exposed target population may be comparatively low to, say, the whole of the internet, but [Rapid7 Labs has noted](<https://blog.rapid7.com/2020/07/29/remote-code-execution-risks-in-secomea-moxa-and-hms-ewon-ics-vpn-vulnerabilities-what-you-need-to-know/>)\u2014rightly so\u2014that a couple thousand exposed gateways is still a pretty concerning state of affairs when those gateways are protecting _industrial control systems_. Pre-authenticated RCE in VPN products guarding ICS/OT networks during a pandemic is, as the kids say, bad news bears\u2014and that\u2019s not to make light, because this ain\u2019t light. The good news is that there are patches out for all these vulns, even though the downtime required to patch and verify effectively might be nothing to sneeze at. Longer [analysis and recommendations by smart people here](<https://attackerkb.com/topics/lRQRKyIkBR/remote-code-execution-vulnerabilities-in-secomea-moxa-and-hms-ewon-vpns?#rapid7-analysis>).\n\nResearchers from around Rapid7\u2019s world (and likely others, too!) have said today that there is likely lower-hanging fruit that will be surfaced in the coming days, particularly around nerve-wracking findings such as exposed Telnet administration ports. There\u2019s a lot of well-justified attention on this grouping of vulns, and with that attention comes increased focus on attack opportunities in general\u2026and the stuff we see clogging up our security noise machines won\u2019t be the only stuff well-resourced attackers are paying attention to. Patch as soon as possible (and yep, easier said than done).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-12-21T00:00:00", "type": "attackerkb", "title": "Remote Code Execution Vulnerabilities in Secomea, Moxa, and HMS eWon VPNs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14498", "CVE-2020-14500", "CVE-2020-14508", "CVE-2020-14510", "CVE-2020-14511", "CVE-2020-14512"], "modified": "2020-12-21T00:00:00", "id": "AKB:10EA1EFD-6C95-4B64-9784-A817B1822004", "href": "https://attackerkb.com/topics/lRQRKyIkBR/remote-code-execution-vulnerabilities-in-secomea-moxa-and-hms-ewon-vpns", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-20T20:14:48", "description": "The discovered bug occurs due to improper handling of some of the HTTP request headers provided by the client. This could allow an attacker to remotely exploit GateManager to achieve remote code execution without any authentication required. If carried out successfully, such an attack could result in a complete security breach that grants full access to a customer\u2019s internal network, along with the ability to decrypt all traffic that passes through the VPN.\n\n \n**Recent assessments:** \n \n**wvu-r7** at July 31, 2020 3:50pm UTC reported:\n\nThe web functionality is implemented in the x86 `gm_server` binary.\n\nUsing the [Claroty report](<https://www.claroty.com/2020/07/28/vpn-security-flaws/>) and a hunch, I decided to test the `Content-Length` header for negative values:\n\n> The discovered bug occurs due to improper handling of some of the HTTP request headers provided by the client.\n> \n> [snip]\n> \n> CVE-2020-14500 \nIMPROPER NEUTRALIZATION OF NULL BYTE OR NULL CHARACTER CWE-158 \nAn attacker can send a negative value and overwrite arbitrary data.\n\nOn the `/admin` page, setting `Content-Length` to a large negative value yielded a segfault in the `gm_server` process:\n \n \n [30665.430945] gm_server[25115]: segfault at 56e35df1 ip 00000000566c0816 sp 00000000ffcb6bf0 error 6 in gm_server[565cf000+175000]\n [30665.430952] Code: e8 e8 ee f4 ff ff 89 c7 e9 61 fe ff ff 8d b4 26 00 00 00 00 8b 95 60 02 00 00 85 d2 0f 84 93 00 00 00 8b 85 68 02 00 00 31 ff <c6> 04 02 00 8b 45 14 83 f8 02 0f 84 34 fe ff ff 0f 82 84 02 00 00\n \n\nNote that a watchdog restarts the process when it crashes.\n\nFor GateManager 8250 on Linux, the `gm_server` binary has NX and PIE enabled. The embedded 4260 and 9250 models have only NX:\n \n \n RELRO STACK CANARY NX PIE RPATH RUNPATH Symbols FORTIFY Fortified Fortifiable FILE\n No RELRO No canary found NX enabled No PIE No RPATH No RUNPATH No Symbols No 0 22 gm_server.unpatched\n \n\nExploitability of the embedded models seems high, given that PIE isn\u2019t enabled. NX and system ASLR can be bypassed with ROP.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-31T00:00:00", "type": "attackerkb", "title": "CVE-2020-14500", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14500"], "modified": "2020-07-31T00:00:00", "id": "AKB:F70DFA93-8312-4DDA-804A-ADA91F8A8DD5", "href": "https://attackerkb.com/topics/evqSrqrpxZ/cve-2020-14500", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:14:51", "description": "Malicious operation of the crafted web browser cookie may cause a stack-based buffer overflow in the system web server on the EDR-G902 and EDR-G903 Series Routers (versions prior to 5.4).\n\n \n**Recent assessments:** \n \n**wvu-r7** at July 31, 2020 3:51pm UTC reported:\n\nThe web server is a 32-bit, big-endian MIPS binary at `/magicP/WebServer/webs`.\n\nThe patch against the `websSecurityHandler()` function in `webs` is simplistic. If the cookie length is greater than the buffer size of 512 bytes, the function fails out:\n \n \n char cookie[512];\n \n /* snip */\n \n if (wp->cookie != NULL) {\n cookie_len = strlen(wp->cookie);\n + if (512 < cookie_len) goto Fail;\n memset(cookie, 0, 512);\n strncpy(cookie, wp->cookie, cookie_len);\n cookie[cookie_len] = '\\0';\n }\n \n\nThe exploit mitigations on the binary are lacking:\n \n \n RELRO STACK CANARY NX PIE RPATH RUNPATH\tSymbols\t\tFORTIFY\tFortified\tFortifiable\tFILE\n No RELRO No canary found NX disabled No PIE No RPATH No RUNPATH 1226) Symbols\t No\t0\t\t17\t\twebs.unpatched\n \n\nNo additional mitigations were enabled in the patched version. Funny enough, the binary still has debug symbols.\n\nExploitability seems high on this one, given the complete lack of mitigations. That said, you would not be able to copy null bytes with `strncpy(3)`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 3\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-15T00:00:00", "type": "attackerkb", "title": "CVE-2020-14511", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14511"], "modified": "2020-07-31T00:00:00", "id": "AKB:9ECC903B-3693-4337-88B5-F9280385C42C", "href": "https://attackerkb.com/topics/2Zjg0ssDBh/cve-2020-14511", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-10-16T22:24:18", "bulletinFamily": "info", "cvelist": ["CVE-2020-14498", "CVE-2020-14500", "CVE-2020-14508", "CVE-2020-14510", "CVE-2020-14511", "CVE-2020-14512"], "description": "Remote code-execution vulnerabilities in virtual private network (VPN) products could impact the physical functioning of critical infrastructure in the oil and gas, water and electric utilities space, according to researchers.\n\nResearchers at Claroty found that VPNs used to provide remote access to operational technology (OT) networks in industrial systems are vulnerable to an array of security bugs, which could give an attacker direct access to field devices and cause physical damage or shut-downs.\n\nThe security vulnerabilities affect three vendors specifically, Secomea, Moxa and HMS Networks, and any of their white-label partners.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThese dedicated remote-access solutions are mainly focused on the industrial control system (ICS) industry, and their main use case is to provide maintenance and monitoring to field controllers and devices including programmable logic controllers (PLCs) and input/output (IO) devices,\u201d analysts said in a posting issued on Wednesday. \u201cApart from connectivity between sites these solutions are also used to enable remote operators and third-party vendors to dial into customer sites and provide maintenance and monitoring for PLCs and other Level 1/0 devices. This kind of access has become especially prioritized in recent months due to the new reality of COVID-19.\u201d\n\n## **The Flaws**\n\nA critical bug in Secomea GateManager (CVE-2020-14500) occurs due to improper handling of HTTP request headers provided by the client. This could allow an attacker to remotely exploit GateManager to achieve remote code execution without any authentication required.\n\n\u201cIf carried out successfully, such an attack could result in a complete security breach that grants full access to a customer\u2019s internal network, along with the ability to decrypt all traffic that passes through the VPN,\u201d according to Claroty.\n\nGateManager is an ICS component located at the perimeter of a customer network, which accepts connections from remote sites/clients. It\u2019s deployed worldwide as a cloud-based software-as-a-service solution, both in branded and white-label instances; these cloud servers are multi-tenant but can also be installed and configured as on-premise solutions.\n\nAccording to Secomea\u2019s website, the GateManager cloud server is designed to \u201cdeliver the convenience of fast and easy web access, while avoiding server setups.\u201d However, the cloud-based nature of the product could mean a wider attack surface for cybercriminals looking to exploit this bug, researchers said.\n\n\u201cIn recent years we have seen a shift toward cloud-based remote access solutions, which typically enable rapid deployment and reduce cost,\u201d according to Claroty\u2019s post. \u201cUsually, they also offer white-labeled solutions that large-scale companies can purchase to have their own personal cloud while the underlying software is exactly the same. Thus, finding bugs in one instance could mean that all other instances would be affected, too.\u201d\n\nIn addition to the critical bug, other flaws found in GateManager include CVE-2020-14508, an off-by-one error, which may allow an attacker to remotely execute arbitrary code or cause a denial-of-service condition. Another (CVE-2020-14510) arises from the use of a hard-coded credential for telnet, allowing an unprivileged attacker to execute commands as root. And CVE-2020-14512 is due to a weak hash type, which may allow an attacker to view user passwords.\n\nSecomea issued patches on July 16 (in GateManager versions [9.2c](<https://kb.secomea.com/helpdesk/KB/View/29329790-secomea-gatemanager--release-c>) / [9.2i](<https://kb.secomea.com/helpdesk/KB/View/29329861-secomea-gatemanager--release-i>)).\n\nMeanwhile, a stack-based overflow vulnerability, is present in the Moxa EDR-G902/3 industrial VPN server (CVE-2020-14511). This product is meant to provide a secure connection between remote industrial sites and a main data center where the SCADA/data collection server is located.\n\n\u201cExploiting this security flaw, an attacker could use a specially crafted HTTP request to trigger a stack-based overflow in the system web server and carry out remote code execution without the need for any credentials,\u201d according to the writeup. \u201cAn attacker can provide a large cookie and trigger a stack-based overflow in the system.\u201d\n\nMoxa made a patch available on June 9; users should update EDR-G902/3 to version v5.5 by applying the respective firmware updates available for the [EDR-G902 series](<https://www.moxa.com/en/support/product-support/software-and-documentation/search?psid=48053>) and [EDR-G903 series](<https://www.moxa.com/en/support/product-support/software-and-documentation/search?psid=48063>), the vendor said.\n\nAnd finally, a critical stack-buffer overflow (CVE-2020-14498) is present in the eWon product by HMS Networks.\n\neWon is a VPN device that allows machine builders and factory owners to remotely monitor the performance of their equipment. Remote clients can connect to it using a proprietary VPN client on their computer, named eCatcher, which is where the vulnerability lies.\n\n\u201cThe bug can be exploited to achieve remote code execution [on a target\u2019s computer] by [convincing a user to visit] a malicious website or [open] a malicious email which contains a specifically crafted HTML element which is able to trigger the vulnerability in eCatcher,\u201d explained Claroty researchers.\n\nGaining control of an authorized user\u2019s computer grants attackers access to that user\u2019s VPN credentials, which they can then use to expand their foothold within an organization\u2019s internal network.\n\nIn a proof-of-concept exploit, researchers showed that sending socially engineered emails embedded with specifically crafted images could trigger the vulnerability if the user simply opened and viewed the email. An attacker would then have the highest privileges and be able to completely take over a victim\u2019s machine.\n\n\u201cThe exploitation phase occurs immediately when the email client (e.g. Outlook) is loading the malicious images,\u201d according to the post.\n\nHMS Networks issued a patch on July 14 in eCatcher [version 6.5.5](<https://ewon.biz/technical-support/pages/all-downloads>).\n\n## **ICS in the Crosshairs**\n\nIndustrial installations have been ramping up in terms of adversary interest of late. Last week, the U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) [issued an alert](<https://threatpost.com/nsa-urgent-warning-industrial-cyberattacks-triconex/157723/>) warning that cybercriminals could be targeting critical infrastructure across the U.S.\n\nAnd separately, ICS-CERT issued an advisory on a critical security bug in the Schneider Electric Triconex TriStation and Tricon Communication Module. These safety instrumented system (SIS) controllers are responsible for shutting down plant operations in the event of a problem and act as an automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire. They\u2019ve been targeted in the past, in the [TRITON attack of 2017](<https://threatpost.com/triton-malware-targets-industrial-control-systems-in-middle-east/129182/>).\n\n\u201cWe expect that in the COVID-19 reality of working from home, the increased use of [VPN] platforms will drive increased interest both from the operational side, as they become more process-critical, and from the security side, as they become more common,\u201d according to Claroty. The researchers added, \u201cDenial-of-service attacks on these components of the enterprise infrastructure could potentially emerge as a new tactic used by financially motivated attackers.\u201d\n\n**_Complimentary Threatpost Webinar_**_: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar \u201c_**_[Cloud Security Audit: A Confidential Computing Roundtable](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>)_**_\u201d brings top cloud-security experts together to explore how _**_Confidential Computing_**_ is a game changer for securing dynamic cloud data and preventing IP exposure. Join us _**_[Wednesday Aug. 12 at 2pm ET](<https://attendee.gotowebinar.com/register/3844090971254297614?source=art>) _**_for this_**_ FREE _**_live webinar._\n\n_ _\n", "modified": "2020-07-29T18:02:03", "published": "2020-07-29T18:02:03", "id": "THREATPOST:3C7643A12EE5AC251B015BA884447D7B", "href": "https://threatpost.com/critical-bugs-utilities-vpns-physical-damage/157835/", "type": "threatpost", "title": "Critical Bugs in Utilities VPNs Could Cause Physical Damage", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T13:12:11", "description": "Malicious operation of the crafted web browser cookie may cause a stack-based buffer overflow in the system web server on the EDR-G902 and EDR-G903 Series Routers (versions prior to 5.4).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-15T13:15:00", "type": "cve", "title": "CVE-2020-14511", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14511"], "modified": "2021-09-23T13:19:00", "cpe": ["cpe:/o:moxa:edr-g903_firmware:5.4", "cpe:/o:moxa:edr-g902_firmware:5.4", "cpe:/o:moxa:edr-g902-t_firmware:5.4", "cpe:/o:moxa:edr-g903-t_firmware:5.4"], "id": "CVE-2020-14511", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14511", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:moxa:edr-g903_firmware:5.4:*:*:*:*:*:*:*", "cpe:2.3:o:moxa:edr-g903-t_firmware:5.4:*:*:*:*:*:*:*", "cpe:2.3:o:moxa:edr-g902_firmware:5.4:*:*:*:*:*:*:*", "cpe:2.3:o:moxa:edr-g902-t_firmware:5.4:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:11:57", "description": "Secomea GateManager all versions prior to 9.2c, An attacker can send a negative value and overwrite arbitrary data.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-25T14:15:00", "type": "cve", "title": "CVE-2020-14500", "cwe": ["CWE-476"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14500"], "modified": "2020-09-02T13:48:00", "cpe": ["cpe:/o:secomea:gatemanager_8250_firmware:9.2c"], "id": "CVE-2020-14500", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14500", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:secomea:gatemanager_8250_firmware:9.2c:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:11:53", "description": "HMS Industrial Networks AB eCatcher all versions prior to 6.5.5. The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-08-26T14:15:00", "type": "cve", "title": "CVE-2020-14498", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14498"], "modified": "2021-09-23T13:34:00", "cpe": [], "id": "CVE-2020-14498", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14498", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}], "cnvd": [{"lastseen": "2022-11-05T09:24:16", "description": "The EDR-G902 and EDR-G903 are a series of routers from Moxa. The Moxa EDR-G902 and EDR-G903 are vulnerable to a stack buffer overflow. An attacker could exploit this vulnerability to execute arbitrary code on the system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-27T00:00:00", "type": "cnvd", "title": "Moxa EDR-G902 and EDR-G903 Stack Buffer Overflow Vulnerability", "bulletinFamily": "cnvd", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14511"], "modified": "2021-10-11T00:00:00", "id": "CNVD-2021-76108", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-76108", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2022-10-26T00:16:19", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION: **Exploitable remotely/low skill level to exploit\n * **Vendor:** Moxa\n * **Equipment:** EDR-G902 and EDR-G903 Series Routers\n * **Vulnerability: **Stack-based Buffer Overflow\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could crash the device being accessed; a buffer overflow condition may allow remote code execution.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following Moxa Series routers are affected:\n\n * EDR-G902 Series: firmware versions 5.4 and prior\n * EDR-G903 Series: firmware versions 5.4 and prior\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [STACK-BASED BUFFER OVERFLOW CWE-121](<https://cwe.mitre.org/data/definitions/121.html>)\n\nMalicious operation of the crafted web browser cookie may cause a stack-based buffer overflow in the system web server.\n\n[CVE-2020-14511](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14511>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Critical Manufacturing, Energy, and Transportation Systems\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** Taiwan\n\n### 3.4 RESEARCHER\n\nTal Keren of Claroty reported this vulnerability to Moxa.\n\n## 4\\. MITIGATIONS\n\nMoxa recommends users implement the following to mitigate the vulnerability:\n\n * Install firmware patch. Patches may be downloaded from [Moxa\u2019s security advisory page](<https://www.moxa.com/en/support/support/security-advisory/edr-g902-g903-series-secure-routers-vulnerabilities>).\n\nPlease see Moxa\u2019s [security advisory](<https://www.moxa.com/en/support/support/security-advisory/edr-g902-g903-series-secure-routers-vulnerabilities>) for more information.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.us-cert.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.gov](<https://www.us-cert.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.gov](<https://www.us-cert.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-20-196-02>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-14T00:00:00", "type": "ics", "title": "Moxa EDR-G902 and EDR-G903 Series Routers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14511"], "modified": "2020-07-14T00:00:00", "id": "ICSA-20-196-02", "href": "https://www.us-cert.gov/ics/advisories/icsa-20-196-02", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-26T00:16:17", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.6**\n * **ATTENTION:** Exploitable remotely/low skill level to exploit\n * **Vendor: **HMS Industrial Networks AB\n * **Equipment:** eCatcher\n * **Vulnerability:** Stack-based Buffer Overflow\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability could crash the device being accessed. In addition, a buffer overflow condition may allow remote code execution with highest privileges.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of eCatcher, a VPN client, are affected:\n\n * All versions prior to 6.5.5\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [STACK-BASED BUFFER OVERFLOW CWE-121](<https://cwe.mitre.org/data/definitions/121.html>)\n\nThe affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to remotely execute arbitrary code. \n\n[CVE-2020-14498](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14498>) has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Critical Manufacturing\n * **COUNTRIES/AREAS DEPLOYED:** Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Sweden\n\n### 3.4 RESEARCHER\n\nSharon Brizinov of Claroty reported this vulnerability to CISA.\n\n## 4\\. MITIGATIONS\n\nHMS recommends users update eCatcher to [Version 6.5.5 or later](<https://ewon.biz/technical-support/pages/all-downloads>). \n\nFor more information, see the [HMS advisory](<https://www.hms-networks.com/cybersecurity>).\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.us-cert.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.gov](<https://www.us-cert.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.gov](<https://www.us-cert.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-20-210-03>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-07-28T00:00:00", "type": "ics", "title": "HMS Industrial Networks eCatcher", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14498"], "modified": "2020-07-28T00:00:00", "id": "ICSA-20-210-03", "href": "https://www.us-cert.gov/ics/advisories/icsa-20-210-03", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-26T00:16:16", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 10.0**\n * **ATTENTION: **Exploitable remotely/low skill level to exploit\n * **Vendor: **Secomea\n * **Equipment: **GateManager\n * **Vulnerabilities: **Improper Neutralization of Null Byte or NUL Character, Off-by-one Error, Use of Hard-coded Credentials, Use of Password Hash with Insufficient Computational Effort\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow a remote attacker to gain remote code execution on the device.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of GateManager, a VPN server, are affected:\n\n * All versions prior to 9.2c\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [IMPROPER NEUTRALIZATION OF NULL BYTE OR NUL CHARACTER CWE-158](<https://cwe.mitre.org/data/definitions/158.html>)\n\nAn attacker can send a negative value and overwrite arbitrary data. \n\n[CVE-2020-14500](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14500>) has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H>)). \n\n#### 3.2.2 [OFF-BY-ONE ERROR CWE-193](<https://cwe.mitre.org/data/definitions/193.html>)\n\nThe affected product is vulnerable to an off-by-one error, which may allow an attacker to remotely execute arbitrary code or cause a denial-of-service condition. \n\n[CVE-2020-14508](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14508>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been assigned; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.3 [USE OF HARD-CODED CREDENTIALS CWE-798](<https://cwe.mitre.org/data/definitions/798.html>)\n\nThe affected product contains a hard-coded credential for telnet, allowing an unprivileged attacker to execute commands as root. \n\n[CVE-2020-14510](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14510>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.4 [USE OF PASSWORD HASH WITH INSUFFICIENT COMPUTATIONAL EFFORT CWE-916](<https://cwe.mitre.org/data/definitions/916.html>)\n\nThe affected product uses a weak hash type, which may allow an attacker to view user passwords. \n\n[CVE-2020-14512](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14512>) has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (A[V:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Critical Manufacturing\n * **COUNTRIES/AREAS DEPLOYED:** Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** Denmark\n\n### 3.4 RESEARCHER\n\nSharon Brizinov and Tal Keren of Claroty reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nSecomea has released a new version to mitigate the reported vulnerabilities. The most up-to-date release at the time of this CISA advisory can be found on the [Secomea website](<https://kb.secomea.com/helpdesk/KB/View/25546482-downloads-gatemanager>).\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://www.us-cert.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.gov](<https://www.us-cert.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.gov](<https://www.us-cert.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities. \n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-20-210-01>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-28T00:00:00", "type": "ics", "title": "Secomea GateManager", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-14500", "CVE-2020-14508", "CVE-2020-14510", "CVE-2020-14512"], "modified": "2020-07-28T00:00:00", "id": "ICSA-20-210-01", "href": "https://www.us-cert.gov/ics/advisories/icsa-20-210-01", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}