Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
attackerkbAttackerKBAKB:F70DFA93-8312-4DDA-804A-ADA91F8A8DD5
HistoryJul 31, 2020 - 12:00 a.m.

CVE-2020-14500

2020-07-3100:00:00
attackerkb.com
25

0.002 Low

EPSS

Percentile

59.6%

JSON

The discovered bug occurs due to improper handling of some of the HTTP request headers provided by the client. This could allow an attacker to remotely exploit GateManager to achieve remote code execution without any authentication required. If carried out successfully, such an attack could result in a complete security breach that grants full access to a customer’s internal network, along with the ability to decrypt all traffic that passes through the VPN.

Recent assessments:

wvu-r7 at July 31, 2020 3:50pm UTC reported:

The web functionality is implemented in the x86 gm_server binary.

Using the Claroty report and a hunch, I decided to test the Content-Length header for negative values:

> The discovered bug occurs due to improper handling of some of the HTTP request headers provided by the client.
>
> [snip]
>
> CVE-2020-14500
IMPROPER NEUTRALIZATION OF NULL BYTE OR NULL CHARACTER CWE-158
An attacker can send a negative value and overwrite arbitrary data.

On the /admin page, setting Content-Length to a large negative value yielded a segfault in the gm_server process:

[30665.430945] gm_server[25115]: segfault at 56e35df1 ip 00000000566c0816 sp 00000000ffcb6bf0 error 6 in gm_server[565cf000+175000]
[30665.430952] Code: e8 e8 ee f4 ff ff 89 c7 e9 61 fe ff ff 8d b4 26 00 00 00 00 8b 95 60 02 00 00 85 d2 0f 84 93 00 00 00 8b 85 68 02 00 00 31 ff <c6> 04 02 00 8b 45 14 83 f8 02 0f 84 34 fe ff ff 0f 82 84 02 00 00

Note that a watchdog restarts the process when it crashes.

For GateManager 8250 on Linux, the gm_server binary has NX and PIE enabled. The embedded 4260 and 9250 models have only NX:

RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      Symbols         FORTIFY Fortified       Fortifiable     FILE
No RELRO        No canary found   NX enabled    No PIE          No RPATH   No RUNPATH   No Symbols        No    0               22              gm_server.unpatched

Exploitability of the embedded models seems high, given that PIE isn’t enabled. NX and system ASLR can be bypassed with ROP.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 3

Related

cvelist 1
cve 1
prion 1
nvd 1
thn 1
ics 1
threatpost 1
attackerkb 1
cvelist
cvelist
CVE-2020-14500 IMPROPER NEUTRALIZATION OF NULL BYTE OR NUL CHARACTER CWE-158
2020-07-28 00:00:00
cve
cve
CVE-2020-14500
2020-08-25 14:15:15
prion
prion
Code injection
2020-08-25 14:15:00
nvd
nvd
CVE-2020-14500
2020-08-25 14:15:15
thn
thn
Industrial VPN Flaws Could Let Attackers Target Critical Infrastructures
2020-07-29 11:12:00
ics
ics
Secomea GateManager
2020-07-28 12:00:00
threatpost
threatpost
Critical Bugs in Utilities VPNs Could Cause Physical Damage
2020-07-29 18:02:03
attackerkb
attackerkb
Remote Code Execution Vulnerabilities in Secomea, Moxa, and HMS eWon VPNs
2020-12-21 00:00:00

0.002 Low

EPSS

Percentile

59.6%

JSON
Related for AKB:F70DFA93-8312-4DDA-804A-ADA91F8A8DD5
cvelist1cve1prion1nvd1thn1ics1threatpost1attackerkb1