Four critical vulnerabilities in industrial VPN solutions from vendors such as HMS Industrial Networks, Siemens, PerFect, and MB connect line

Specialists from the security firm Claroty reported the detection of multiple code execution vulnerabilities in various virtual private network (VPN) products dependent on OpenVPN. In total, 4 flaws were detected in HMS Industrial Networks, MB connect line, PerFact and Siemens, the explanation of which would allow threat actors to execute code through a specially designed website.

The researchers mention that OpenVPN-based products typically implement it as a service with SYSTEM privileges, which poses a severe security risk because any remote application can control an OpenVPN instance and start or terminate a secure connection.

Typically, VPN client-server architectures involve the presence of a frontend, a backend, and the OpenVPN service. Because in most cases the clear text protocol is used within the dedicated socket channel through which the frontend controls the backend without the use of authentication, anyone with access to the local TCP port on which the backend listens could upload an OpenVPN configuration and force the backend to generate a new OpenVPN instance with this configuration.

Threat actors trying to exploit these flaws would only require tricking the target user into entering a malicious website with JavaScript code designed to send POST requests, leading to the injection of commands into the VPN client backend, leading to a server-side request forgery (SSRF) scenario.

According to experts, when the victim clicks on the specially crafted link, an HTTP POST request is sent to the dedicated TCP port; Since HTTP is a plain text-based protocol, the backend server will ignore all lines until it reaches a significant command.

Also, since the backend server will automatically scan and execute any valid commands received, a remote configuration file could be forced to load with specific commands that lead to code execution or malware installation.

The good news is that successful exploitation of this flaw would require access to the SMB server, so a threat actor would have to be on the affected network or else have access to a vulnerable computer configured to allow SMB access to external servers.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.