Safety vulnerabilities have been disclosed within the industrial distant entry answer Ewon Cosy+ that may very well be abused to realize root privileges to the gadgets and stage follow-on assaults.
The elevated entry might then be weaponized to decrypt encrypted firmware information and encrypted information similar to passwords in configuration information, and even get appropriately signed X.509 VPN certificates for overseas gadgets to take over their VPN periods.
“This allows attackers hijacking VPN sessions which results in significant security risks against users of the Cosy+ and the adjacent industrial infrastructure,” SySS GmbH safety researcher Moritz Abrell mentioned in a brand new evaluation.
The findings had been offered on the DEF CON 32 convention over the weekend. Following accountable disclosure, the problems have been addressed in firmware variations 21.2s10 and 22.1s3 as a part of an advisory [PDF] issued by Ewon on July 29, 2024 –
- CVE-2024-33892 (CVSS rating: 7.4) – Data leakage by means of cookies
- CVE-2024-33893 (CVSS rating: 2.1) – XSS when displaying the logs attributable to improper enter sanitization
- CVE-2024-33894 (CVSS rating: 1.0) – Execution of a number of processes with elevated privileges
- CVE-2024-33895 (CVSS rating: 4.4) – Utilization of a novel key to encrypt the configuration parameters
- CVE-2024-33896 (CVSS rating: 3.3) – Code injection attributable to improper parameter blacklisting
- CVE-2024-33897 (CVSS rating: N/A) – A compromised gadgets may very well be used to request a Certificates Signing Request (CSR) from Talk2m for an additional gadget, leading to an availability problem
Ewon Cosy+’s structure entails the usage of a VPN connection that is routed to a vendor-managed platform referred to as Talk2m through OpenVPN. Technicians can remotely connect with the economic gateway via a VPN relay that happens by means of OpenVPN.
The Germany-based pentest firm mentioned it was capable of uncover an working system command injection vulnerability and a filter bypass that made it potential to acquire a reverse shell by importing a specifically crafted OpenVPN configuration.
An attacker might have subsequently taken benefit of a persistent cross-site scripting (XSS) vulnerability and the truth that the gadget shops the Base64-encoded credentials of the present internet session in an unprotected cookie-named credentials to realize administrative entry and finally root it.
“An unauthenticated attacker can gain root access to the Cosy+ by combining the found vulnerabilities and e.g., waiting for an admin user to log in to the device,” Abrell mentioned.
The assault chain might then be prolonged additional to arrange persistence, entry firmware-specific encryption keys, and decrypt the firmware replace file. What’s extra, a hard-coded key saved throughout the binary for password encryption may very well be leveraged to extract the secrets and techniques.
“The communication between the Cosy+ and the Talk2m API is done via HTTPS and secured via mutual TLS (mTLS) authentication,” Abrell defined. “If a Cosy+ device is assigned to a Talk2m account, the device generates a certificate signing request (CSR) containing its serial number as common name (CN) and sends it to the Talk2m API.”
This certificates, which will be accessed through the Talk2m API by the gadget, is used for OpenVPN authentication. Nevertheless, SySS discovered that the only reliance on the gadget serial quantity may very well be exploited by a risk actor to enroll their very own CSR with a serial quantity if a goal gadget and efficiently provoke a VPN session.
“The original VPN session will be overwritten, and thus the original device is not accessible anymore,” Abrell mentioned. “If Talk2m users connect to the device using the VPN client software Ecatcher, they will be forwarded to the attacker.”
“This allows attackers to conduct further attacks against the used client, for example accessing network services such as RDP or SMB of the victim client. The fact that the tunnel connection itself is not restricted favors this attack.”
“Since the network communication is forwarded to the attacker, the original network and systems could be imitated in order to intercept the victim’s user input such as the uploaded PLC programs or similar.”
The event comes as Microsoft uncovered a number of flaws in OpenVPN that may very well be chained to attain distant code execution (RCE) and native privilege escalation (LPE).
(The story was up to date after publication to incorporate further particulars concerning the CVE identifiers and the supply of the patches.)
