Following up on Team82's research in the security of remote access tools prevalent in OT environments, we decided to revisit the issue and look for systems that remain unpatched after our disclosure.
More than 61 percent of the exposed Secomea VPNs found on the internet by Team82 still have not been patched since the vulnerabilities were disclosed and fixes made available by the vendor.
This is particularly concerning because VPN servers, unlike other OT gear, can be updated with minimal interruptions to availability.
Team82 originally found four vulnerabilities that can be leveraged to crash VPN servers or run code without authentication.
Purpose-built virtual private networks, specifically designed for remote access to operational technology (OT) networks, are critical to the upkeep and monitoring of field devices. In July, Team82 provided some technical details about a number of vulnerabilities affecting VPNs made by leading manufacturers.
Exploits against many of these critical flaws could give a dedicated attacker remote access to an OT network and the ability to run code of their choice. Such an attack would be a direct threat to the availability and physical security of field devices.
Team82 has revisited this issue. We pulled data from publicly available scanning websites and conducted our own scans, looking for exposed Secomea GateManager VPN servers that remain unpatched against four vulnerabilities uncovered by Claroty that were part of our July report. Secomea, a privately held Danish company, is a leading provider of remote access products for OT networks. Its solutions allow operators to securely access and transmit data from devices in order to maintain and optimize their performance.
And while the number of patched GateManager installations is trending in the right direction, more than 61 percent of the exposed VPNs found on the internet by Team82 still have not been patched since the vulnerabilities were publicly disclosed on July 28. Claroty privately reported the flaws to the vendor on May 26, and Secomea had made a patched version of GateManager, 9.2c, available as early as July 10.
The relatively low number of updated servers since patches have been made available is a bit disconcerting given the fact that unlike many other industrial control system devices, VPN servers such as Secomea's GateManager can be updated with minimal downtime and disruption to the availability of services.
Lags in patching remain an ongoing OT issue, one that the Cybersecurity Infrastructure Security Agency (CISA) addressed in July as part of an alert exposing threat actor capabilities and activity targeting internet-accessible OT assets. The prevalence of OT assets exposed to the internet has boomed since the COVID-19 pandemic began in order to support remote access for asset management, process operations, and maintenance.
While warning organizations of threat-actor tactics such as the targeting of connected PLCs and scanning for commonly used ports and protocols used to communicate with controllers, CISA urged organizations to take several steps to mitigate these risks. Prominent among those is fully patching all internet-accessible systems, and inventorying assets in order to understand where vulnerabilities live and which need to be prioritized in patch management strategies.
Most of the exposed GateManager instances were found in the United States, Italy, and Denmark (see graphic below).
Equipment manufacturers, service providers, and food and beverage companies were the top three industries running GateManager instances, according to Claroty data. But the product was found in more than a dozen industries, including critical industries such as waste treatment, pharmaceuticals, and automakers, (see graphic below).
GateManager is a widely used ICS remote access server deployed worldwide as a cloud-based software-as-a-service (SaaS) solution with many general-purpose and white-label instances also deployed. According to Secomea's website, the GateManager cloud server is designed to deliver the convenience of fast and easy web access, while avoiding the cost and maintenance of on-premise server installations. If carried out successfully, such an attack could result in a complete security breach that grants full access to a customer's internal network, along with the ability to decrypt all traffic that passes through the VPN.
Cloud-based solutions such as Secomea's cut down on deployment times and reduce costs overall. Given that many companies also opt for a white-label solution enabled on a private cloud, these too would also be vulnerable.
The Cybersecurity and Infrastructure Security Agency's (CISA) ICS-CERT published an advisory on July 28 describing the four vulnerabilities found by Claroty in GateManager:
CVE-2020-14500, an improper neutralization of null by or nul character, allowing an attacker to overwrite arbitrary data
CVE-2020-14508, an off-by-one error that allows an attacker to remotely execute code or crash a device or server
CVE-2020-14510, use of hard-coded credentials, in this case for telnet, allowing an unauthenticated attacker to run code as root
CVE-2020-14512, use of a password hash with insufficient computational effort, allowing an attacker to view user passwords
CISA also published a number of mitigations, recommending above all that users update the GateManager VPN server to version 9.2c or later, as well as minimizing exposure of control devices to the internet, segmenting them from business networks, and locating remote access devices behind firewalls.
Given that the Covid-19 pandemic likely will continue to alter the remote-work landscape for the immediate future, more attention will be given to the security of remote access solutions by researchers and threat actors alike.
Remote access to OT networks poses unique risks; security features guarding IT remote access solutions are less comprehensive than those for OT networks that require strict role- and policy-based controls and monitoring in order to minimize risk and maintain the availability and safety of industrial devices and OT networks.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
