By Sharon Brizinov and Tal Keren | Claroty Research Team | September 24, 2020

Purpose-built virtual private networks, specifically designed for remote access to operational technology (OT) networks, are critical to the upkeep and monitoring of field devices. In July, Claroty provided some technical details about a number of vulnerabilities affecting VPNs made by leading manufacturers.

Exploits against many of these critical flaws could give a dedicated attacker remote access to an OT network and the ability to run code of their choice. Such an attack would be a direct threat to the availability and physical security of field devices.

Recently, Claroty researchers have revisited this issue. We pulled data from publicly available scanning websites and conducted our own scans, looking for exposed Secomea GateManager VPN servers that remain unpatched against four vulnerabilities uncovered by Claroty that were part of our July report. Secomea, a privately held Danish company, is a leading provider of remote access products for OT networks. Its solutions allow operators to securely access and transmit data from devices in order to maintain and optimize their performance.

And while the number of patched GateManager installations is trending in the right direction, more than 61 percent of the exposed VPNs found on the internet by Claroty still have not been patched since the vulnerabilities were publicly disclosed on July 28. Claroty privately reported the flaws to the vendor on May 26, and Secomea had made a patched version of GateManager, 9.2c, available as early as July 10.

Lax Patching Continues to Plague OT

The relatively low number of updated servers since patches have been made available is a bit disconcerting given the fact that unlike many other industrial control system devices, VPN servers such as Secomea’s GateManager can be updated with minimal downtime and disruption to the availability of services.

Lags in patching remain an ongoing OT issue, one that the Cybersecurity Infrastructure Security Agency (CISA) addressed in July as part of an alert exposing threat actor capabilities and activity targeting internet-accessible OT assets. The prevalence of OT assets exposed to the internet has boomed since the COVID-19 pandemic began in order to support remote access for asset management, process operations, and maintenance.

While warning organizations of threat-actor tactics such as the targeting of connected PLCs and scanning for commonly used ports and protocols used to communicate with controllers, CISA urged organizations to take several steps to mitigate these risks. Prominent among those is fully patching all internet-accessible systems, and inventorying assets in order to understand where vulnerabilities live and which need to be prioritized in patch management strategies.

Most of the exposed GateManager instances were found in the United States, Italy, and Denmark (see graphic below).

 

Equipment manufacturers, service providers, and food and beverage companies were the top three industries running GateManager instances, according to Claroty data. But the product was found in more than a dozen industries, including critical industries such as waste treatment, pharmaceuticals, and automakers, (see graphic below).

 

GateManager is a widely used ICS remote access server deployed worldwide as a cloud-based software-as-a-service (SaaS) solution with many general-purpose and white-label instances also deployed. According to Secomea’s website, the GateManager cloud server is designed to deliver the convenience of fast and easy web access, while avoiding the cost and maintenance of on-premise server installations. If carried out successfully, such an attack could result in a complete security breach that grants full access to a customer’s internal network, along with the ability to decrypt all traffic that passes through the VPN.

Diagram courtesy of Secomea that shows how remote access solutions in the ICS domain function. The end goal is connecting to PLCs and field devices on level 0/1.

Cloud-based solutions such as Secomea’s cut down on deployment times and reduce costs overall. Given that many companies also opt for a white-label solution enabled on a private cloud, these too would also be vulnerable.

Mitigations and Conclusion

The Cybersecurity and Infrastructure Security Agency’s (CISA) ICS-CERT published an advisory on July 28 describing the four vulnerabilities found by Claroty in GateManager:

  1. CVE-2020-14500, an improper neutralization of null by or nul character, allowing an attacker to overwrite arbitrary data
  2. CVE-2020-14508, an off-by-one error that allows an attacker to remotely execute code or crash a device or server
  3. CVE-2020-14510, use of hard-coded credentials, in this case for telnet, allowing an unauthenticated attacker to run code as root
  4. CVE-2020-14512, use of a password hash with insufficient computational effort, allowing an attacker to view user passwords

CISA also published a number of mitigations, recommending above all that users update the GateManager VPN server to version 9.2c or later, as well as minimizing exposure of control devices to the internet, segmenting them from business networks, and locating remote access devices behind firewalls.

Given that the Covid-19 pandemic likely will continue to alter the remote-work landscape for the immediate future, more attention will be given to the security of remote access solutions by researchers and threat actors alike.

Remote access to OT networks poses unique risks; security features guarding IT remote access solutions are less comprehensive than those for OT networks that require strict role- and policy-based controls and monitoring in order to minimize risk and maintain the availability and safety of industrial devices and OT networks.