Claroty’s Team82 finds new attack concept targeting OpenVPN that could let hackers get into critical infrastructures

Claroty’s Team82 research team discovered on Friday a new attack concept that targets virtual private networks (VPNs), as they took an extensive look at VPN vendor applications that have OpenVPN applications running under the hood.

As part of the investigation, Team82 detected four vulnerabilities in industrial VPN solutions from vendors HMS Industrial Networks, Siemens, PerFact, and MB connect line. The vulnerabilities expose users to remote and arbitrary code execution attacks and also enable attackers to elevate privileges. All four vendors have either provided a fix in an updated version of their respective products or suggested mitigations.

Over the last year, due to the increased popularity and growing remote workforce, Claroty Team82 was busy researching VPN/remote-access solutions. The majority of them included OpenVPN as part of the secure remote access solution while the vendor application is a wrapper that manages the OpenVPN instance. After inspecting a couple of such products, Claroty found an issue with the way these types of products harness OpenVPN. In most cases, the problem could lead to a remote code execution just by luring a victim to a malicious website.

Last July, Claroty researchers discovered remote code execution vulnerabilities affecting VPN implementations primarily used to provide remote access to operational technology (OT) networks. These dedicated remote access solutions are mainly focused on the industrial control system (ICS) industry, and their main use case is to provide maintenance and monitoring to field controllers and devices including programmable logic controllers (PLCs) and input/output (IO) devices.

OpenVPN implements techniques that create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements client and server applications. On account of its popularity, ease of use, and features, many companies have chosen OpenVPN as part of their solution. It is a feasible option for organizations that want to create a secure tunnel with a couple of new features. Rather than reinventing the wheel, the company will most likely use OpenVPN as its foundation.

Since OpenVPN requires high privileges, vendors will install OpenVPN as a service that runs as ‘SYSTEM,’ and use the management interface to start a new session. The procedure ensures that even applications that don’t require privileges could initiate a VPN connection without elevated permissions required. This is a potential risk that could allow privilege escalation and attacks that introduce significant risk to a business.

Claroty researchers tested the socket channel consisting of a cleartext protocol with some basic commands such as ‘Load OpenVPN config’ and ‘Start VPN’ with no authentication/authorization checks, Sharon Brizinov, a Claroty researcher, wrote in a company blog post. “The selection of a cleartext-based protocol, similar to telnet, is usually because of its ease of use and quick development cycles. This means that anyone with access to the local TCP port the back end listens on, could potentially load an OpenVPN config and force the back end to spawn a new OpenVPN instance with this configuration.”

To exploit this vulnerability, “we need to send to our victim a link to a malicious website with an embedded JavaScript payload that will send a blind POST request locally. The payload will be the commands we want to inject in the VPN client back end,” Brizinov wrote. Once the victim clicks the link, an HTTP POST request will be fired locally to the dedicated TCP port, and since HTTP is a cleartext based protocol which every line ends with \n, the back end server will read and ignore all the lines until reaching a meaningful command, he added.

Team82 also discovered that the OpenVPN configuration file doesn’t have to consist of any particular suffix, so “we could name it even ‘README.txt’ as long as the content is a valid OpenVPN configuration,” according to the Claroty post. “Inside the attacker-controlled configuration file, the attacker could use one of the OpenVPN script directives such as the up command to execute code; the up configuration command is normally used to execute a shell command or a script to run after the TUN/TAP device is opened successfully (before outbound connection is made),” it added.

An attacker could use this to execute any command, including malicious ones such as installing a backdoor or ransomware, the researcher pointed out.

Claroty researchers provided users with mitigation advice to help eliminate the SSRF and the local privilege escalation, according to Claroty. It advised the usage of dynamic parameters that configure all listeners to bind on dynamic ports and dynamic local IP addresses in the 127.0.0.0/8 range. It also advised implementing a secret token that the front-end must transfer to the back end in order to execute commands. The security token will be automatically generated with every bootup and will be configured with proper access control lists (ACLs) so local attackers could not use this to start a VPN session.

Users were also guided to limit the potential attack surface by refraining from executing OpenVPN with SYSTEM privileges whenever possible, the post said.

Last week, Claroty’s Team82 reached a key landmark with the release of its ‘250th vulnerability’ over two years into its existence. Team82’s disclosures include novel attack techniques for ICS devices and OT networks, notably within the domains of cloud, remote access, and targeting of PLCs. Identifying industrial software, firmware, and protocol vulnerabilities has given asset owners visibility into their risk exposure so that now networks largely running legacy code are briskly being connected to the internet.

“Our work has also included close collaboration with numerous vendors on not only vulnerability discovery and remediation, but also coordinating disclosure, and communicating safely with customers and the community,” according to a company post.

Earlier this month, Claroty’s Team82 and JFrog announced details of their collaboration on a vulnerability research project that examines BusyBox, a software suite of many useful Unix utilities, known as applets. Using static and dynamic techniques, Claroty’s Team82 and JFrog discovered 14 vulnerabilities affecting the latest version of BusyBox.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.