Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Vulnerability Found in Industrial Remote Access Product From Claroty

The Secure Remote Access (SRA) product of industrial cybersecurity firm Claroty is affected by a vulnerability that could be useful to threat actors targeting industrial organizations.

The Secure Remote Access (SRA) product of industrial cybersecurity firm Claroty is affected by a vulnerability that could be useful to threat actors targeting industrial organizations.

A patch has been available since April and the risk of exploitation in the wild is low, but the flaw is noteworthy as it’s not often that we hear of vulnerabilities in the products of ICS cybersecurity companies.

The vulnerability was discovered by the Alpha Strike Labs research unit at Austria-based operational technology (OT) security company Limes Security. Its existence was brought to light this week by Limes Security and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Claroty SRA is a secure remote access solution specifically built for OT environments, including in terms of operational, administrative and security needs.

Alpha Strike researchers discovered that an attacker with access to the targeted system can bypass access controls for the central configuration file of the SRA software.

“Successful exploitation of this vulnerability allows an attacker with local command line interface access to gain the secret key, subsequentially allowing them to generate valid session tokens for the web user interface (UI). With access to the web UI an attacker can access assets managed by the SRA installation and could compromise the installation,” CISA explained in its advisory.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Advertisement. Scroll to continue reading.

Alpha Strike Labs researchers told SecurityWeek that the difficulty of exploiting this vulnerability depends on the configuration of the host where SRA is installed.

“In the scenario we encountered, any unprivileged local user of the SRA host could gain access to the sensitive information,” they said.

As for what an attacker could achieve in a real world environment, the researchers explained, “An attacker that successfully exploits this vulnerability may become administrator in SRA, which subsequently compromises assets that are managed through SRA. Practically this means an attacker can create valid sessions and thereby effectively gains illicit access to whatever industrial components or networks are protected via SRA, be it a production environment or critical infrastructure site.”

The vulnerability, tracked as CVE-2021-32958 and rated medium severity (CVSS score of 5.5), was reported to Claroty in late January and it was patched by the vendor in April with the release of version 3.2.1.

“Claroty worked collaboratively with security researchers to remediate a vulnerability in SRA 3.2 and earlier versions,” Claroty said in an emailed statement. “It represents a very low risk in practice as the vulnerability is not remotely exploitable and local OS level access (which is required to exploit) should already be limited to Admin users only. To patch this vulnerability, customers should upgrade to SRA 3.2.1 when permissible, and compensating controls are listed in the advisory associated with CVE-2021-32958 until they can upgrade.”

Related: Vulnerabilities in TBox RTUs Can Expose Industrial Organizations to Remote Attacks

Related: Serious Vulnerabilities Found in Schneider Electric Power Meters

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...