All Roads Lead to OpenVPN: Pwn’ing Industrial Remote Access Clients
2021-09-03, 11:00–11:40, Main track

In the past year, due to the increased popularity and growing remote workforce, we decided to explore VPN/remote-access solutions. We found that the majority of these solutions, in their client side, consist of an application that manages an OpenVPN instance to handle the secure tunnel. After inspecting a couple of such products, especially in the industrial sector, we identified a key problem with the way these types of products harness OpenVPN—a problem that, in most cases, can lead to a 1-click RCE on the VPN client side, just by luring a victim to a malicious website.

In this talk we will describe what industrial remote access solutions are, their common architecture, why most of them are using OpenVPN behind the scenes to control the encrypted tunnel, and how they manage the VPN tunnel using the OpenVPN Management Interface. We will continue with presenting the key implementation flaw we identified in the VPN client side software, and how we were able to exploit it to gain a SSRF to RCE with high-privileges on endpoint machines.

Finally, we will showcase 4 CVEs of 4 different vendors (Siemens, eWon, mbConnectLine, and PerFact) that we were able to exploit following our research. The exploits range from a local privilege escalation and 1-click RCE with SYSTEM privileges (Windows). Our demo will be focused around how an innocent looking phishing campaign can result with a reverse shell to a remote attacker.

Sharon Brizinov is the vulnerability research team lead at Claroty. He specializes in vulnerability research, malware analysis, network forensics, and ICS/SCADA security. In addition, Brizinov participated in well-known hacking competitions such as Pwn2Own, and he holds a DEFCON black-badge for winning the ICS CTF.