Vulnerability Found in Industrial Remote Access Product From Claroty

The Secure Remote Access (SRA) product of industrial cybersecurity firm Claroty is affected by a vulnerability that could be useful to threat actors targeting industrial organizations.

A patch has been available since April and the risk of exploitation in the wild is low, but the flaw is noteworthy as it’s not often that we hear of vulnerabilities in the products of ICS cybersecurity companies.

The vulnerability was discovered by the Alpha Strike Labs research unit at Austria-based operational technology (OT) security company Limes Security. Its existence was brought to light this week by Limes Security and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Claroty SRA is a secure remote access solution specifically built for OT environments, including in terms of operational, administrative and security needs.

Alpha Strike researchers discovered that an attacker with access to the targeted system can bypass access controls for the central configuration file of the SRA software.

“Successful exploitation of this vulnerability allows an attacker with local command line interface access to gain the secret key, subsequentially allowing them to generate valid session tokens for the web user interface (UI). With access to the web UI an attacker can access assets managed by the SRA installation and could compromise the installation,” CISA explained in its advisory.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Alpha Strike Labs researchers told SecurityWeek that the difficulty of exploiting this vulnerability depends on the configuration of the host where SRA is installed.

“In the scenario we encountered, any unprivileged local user of the SRA host could gain access to the sensitive information,” they said.

As for what an attacker could achieve in a real world environment, the researchers explained, “An attacker that successfully exploits this vulnerability may become administrator in SRA, which subsequently compromises assets that are managed through SRA. Practically this means an attacker can create valid sessions and thereby effectively gains illicit access to whatever industrial components or networks are protected via SRA, be it a production environment or critical infrastructure site.”

The vulnerability, tracked as CVE-2021-32958 and rated medium severity (CVSS score of 5.5), was reported to Claroty in late January and it was patched by the vendor in April with the release of version 3.2.1.

“Claroty worked collaboratively with security researchers to remediate a vulnerability in SRA 3.2 and earlier versions,” Claroty said in an emailed statement. “It represents a very low risk in practice as the vulnerability is not remotely exploitable and local OS level access (which is required to exploit) should already be limited to Admin users only. To patch this vulnerability, customers should upgrade to SRA 3.2.1 when permissible, and compensating controls are listed in the advisory associated with CVE-2021-32958 until they can upgrade.”

Related: Vulnerabilities in TBox RTUs Can Expose Industrial Organizations to Remote Attacks

Related: Serious Vulnerabilities Found in Schneider Electric Power Meters