Security vulnerabilities in the industrial remote access system Ewon Cosy+ have been made public. These vulnerabilities could be used to give an attacker more power, allowing them to take control of the device and initiate more attacks.
The industrial remote access system Ewon Cosy+ has security flaws that have been made public. These flaws could be leveraged to escalate an attacker’s privileges to root the device and launch subsequent assaults.
Elevated access may then be used as a weapon to obtain properly signed X.509 VPN certificates for foreign devices, allowing them to take control of their VPN sessions, as well as to decrypt encrypted firmware files and encrypted data, including passwords in configuration files.
In a recent review, security expert Moritz Abrell of SySS GmbH stated, “This allows attackers to hijack VPN sessions, which results in significant security risks against users of the Cosy+ and the adjacent industrial infrastructure.”
Over the weekend, the results were disclosed at the DEF CON 32 conference.
The design of Ewon Cosy+ makes use of an OpenVPN-managed VPN connection that is directed to a vendor-managed platform named Talk2m. The industrial gateway can be accessed remotely by technicians via an OpenVPN-powered VPN relay.
The Germany-based pentest company claimed to have found a filter bypass and an operating system command injection vulnerability that allowed an attacker to upload a specifically designed OpenVPN configuration in order to get a reverse shell.
Subsequently, an attacker might have exploited a persistent cross-site scripting (XSS) vulnerability and the device’s unencrypted cookie named credentials, which stores the Base64-encoded credentials of the active web session, to obtain administrator access and ultimately root it.
“An unauthenticated attacker can gain root access to the Cosy+ by combining the found vulnerabilities and, e.g., waiting for an admin user to log in to the device,” Abrell stated.
The firmware update file could then be decrypted, persistence could be established, and firmware-specific encryption keys could be accessed by expanding the attack chain. Furthermore, the secrets may be retrieved by using a hard-coded key that is kept in the binary for password encryption.
“The communication between the Cosy+ and the Talk2m API is done via HTTPS and secured via mutual TLS (mTLS) authentication,” Abrell said. “If a Cosy+ device is assigned to a Talk2m account, the device generates a certificate signing request (CSR) containing its serial number as a common name (CN) and sends it to the Talk2m API.”
This certificate is used for OpenVPN authentication and is accessible by the device using the Talk2m API. Nevertheless, SySS discovered that a threat actor might successfully launch a VPN session by enrolling their own CSR with a target device’s serial number if they only relied on the device’s serial number.
“The original VPN session will be overwritten, and thus the original device is not accessible anymore,” Abrell stated. “If Talk2m users connect to the device using the VPN client software Ecatcher, they will be forwarded to the attacker.”
This enables attackers to carry out additional attacks on the targeted client, such as gaining access to the victim’s network services like RDP or SMB. This attack is made easier by the fact that the tunnel connection is unrestricted.”
“Since the network communication is forwarded to the attacker, the original network and systems could be imitated in order to intercept the victim’s user input, such as the uploaded PLC programs or similar.”
The move coincides with Microsoft discovering numerous OpenVPN vulnerabilities that might be leveraged to achieve remote code execution (RCE) and local privilege escalation (LPE).
Also read: Achieving Rapid Outcomes with AI-Driven Cloud Analytics
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.