On Wednesday, July 28, 2020, researchers at Claroty released information on a number of critical remote code execution vulnerabilities across products of three industrial control system (ICS) vendors’remote access technologies: HMS, Secomea, and Moxa. Rapid7 has aggregated these vulnerabilities into a single AttackerKB meta-topic reference to help defenders keep up-to-date with the latest developments.
The following CVEs have been assigned to these weaknesses:
Secomea GateManager:
Moxa EDR-G902/3 industrial VPN servers:
HMS Networks eCatcher VPN clients:
And, the following vendor patches are available:
Rapid7 strongly recommends that organizations using these technologies immediately assess their internet-facing ICS remote configurations to ensure only protocols and services that need to be exposed to the internet are configured and that these specific devices and services are patched as soon as possible. A number of these patches have been available since early June and early July.
The U.S. ICS CERT/CISA have issued advisories for these vulnerabilities, noting that many of them are trivial to exploit.
In this post, we’re focusing mainly on the remote code execution risks, though in this age of rampant phishing attacks, the user-interaction-required weaknesses in HMS eWon VPNs should not be taken lightly by organizations using that technology.
Secomea GateManager is used widely in ICS deployments and the weakness in HTTP request header handling can lead to unauthenticated remote code execution, providing an attacker full access to secured networks and complete visibility into all VPN traffic.
Moxa EDR-G902/3 industrial VPN servers have an HTTP request processing weakness that can be exploited to trigger an unauthenticated stack-based overflow on the web server with the potential for remote code exec ..
Support the originator by clicking the read the rest link below.
