The FBI has published an investigation into attacks in which cyber criminals exploited security flaws in VPN software to break into networks and eventually establish themselves in them. In the specific case, the analyzed vulnerability enabled access to an unrestricted file upload function with which attackers could upload a webshell for further activities with root rights.
Abusing security gaps in VPN solutions to break into networks, for example, is now part of the standard repertoire of cyber gangs. For over a year this has appeared in the front of the jointly compiled list of the most frequently routinely exploited vulnerabilities the US American CISA, the Australian ACSC, the United Kingdom NCSC and the FBI.
The FBI forensic scientists were able to trace attacks on the currently investigated vulnerability back to at least May 2021. According to the detailed analysis, the attackers used them for advanced persistent threat attacks (APT) – that is, to sneak into the network, to get stuck in it, to remain active for a long time undetected and to move around. As a rule, such groups start such network infiltration, for example in order to access unauthorized data or to extort ransom money by smuggling in ransomware.
In the warning, the FBI names the VPN software FatPipe WARP, MPVPN and IPVPN as affected. The latest versions 10.1.2r60p93 and 10.2.2r44p1 are supposed to close the security holes. Software users can obtain the updated versions from the manufacturer.
Industrial VPN solutions with vulnerabilities
Claroty security researchers have discovered security gaps in VPN solutions based on OpenVPN, which are mostly used in industrial environments. Some of these can be classified as critical and also allow attackers to smuggle in malicious code.
The gaps apparently take advantage of the fact that the OpenVPN service runs locally in the SYSTEM context. The user interface, on the other hand, works with low rights and sends its commands to this service in plain text and without authentication. Applications can therefore impose maliciously manipulated configurations on the service and execute any code with the rights of the service – i.e. SYSTEM. That’s how it describes a collective report from VDE-CERT about mbDIALUP (CVE-2021-33526). A second vulnerability in mbDIALUP made it possible (CVE-2021-33527) to send commands to the operating system. The versions mbDIALUP 3.9R0.5 and newer seal the security leaks.
Other affected products
Similar Siemens closes security gaps with possible rights expansion in SINEMA Remote Connect Client with version V3.0 SP1 and newer (CVE-2020-14498). Users of the HMS eCatcher VPN solution should update to version 6.5.5 or newer, to iron out these mistakes (CVE-2020-14498). Finally found the Claroty security researchers such gaps still exist in the PerFact OpenVPN client (CVE-2021-27406).
Even in industrial environments, administrators have to keep the software solutions used up to date in order to prevent successful attacks on the infrastructure and potentially major material damage. You should now check the VPN solutions used to ensure that they are up-to-date and, if necessary, roll out security updates promptly.
[Update vom 23.11.2021 16:00 Uhr] According to the manufacturer, the fixed version of mbDIALUP is 3.9R0.5. We have corrected this.