Ewon Cosy+ Industrial Remote Access Tool Vulnerable to Root Access Attacks

August 12, 2024Ravi LakshmananOperational Technology / Network Security

Vulnerabilities have been discovered in the Ewon Cosy+ industrial remote access solution that could be exploited to gain root privileges on devices and carry out further attacks.

Access privileges can be used to decrypt encrypted firmware files and encrypted data such as passwords in configuration files, or even to obtain properly signed X.509 VPN certificates for external devices in order to hijack their VPN sessions.

“This allows attackers to take over VPN sessions, resulting in a significant security risk for Cosy+ users and adjacent industrial infrastructure,” said Moritz Abrell, security researcher at SySS GmbH, in a new analysis.

The research results were presented at the DEF CON 32 conference, which took place last weekend.

The Ewon Cozy+ architecture includes the use of a VPN connection that is routed to the vendor-managed Talk2m platform via OpenVPN. Technicians can remotely connect to the industrial gateway using a VPN relay that is routed via OpenVPN.

A German penetration testing firm said it had discovered a command injection vulnerability in the operating system and a filter bypass that allowed for a reverse shell to be achieved by uploading a specially crafted OpenVPN configuration.

An attacker could then exploit a cross-site scripting (XSS) vulnerability and the fact that the device stores Base64-encoded credentials for the current web session in an insecure credential called a cookie to gain administrative access and ultimately gain access to the device.

“An unauthenticated attacker can gain root access to Cozy+ by combining the vulnerabilities found and, for example, waiting for an administrative user to log in to the device,” Abrell said.

The attack chain could then be extended further to configure persistence, access firmware-specific encryption keys, and decrypt the firmware update file. Furthermore, a hard-coded key stored in the password encryption binary could be used to extract secrets.

“Communication between Cozy+ and Talk2m API is done over HTTPS and secured with mutual TLS (mTLS) authentication,” Abrell explained. “When a Cozy+ device is assigned to a Talk2m account, the device generates a certificate signing request (CSR) containing its serial number as the Common Name (CN) and sends it to Talk2m API.”

This certificate, which can be accessed via the Talk2m API by the device, is used for OpenVPN authentication. However, SySS discovered that the exclusive reliance on the device’s serial number can be exploited by a threat actor to register its own CSR with the serial number if the target device and successfully initiate a VPN session.

“The original VPN session will be overwritten, so the original device will no longer be accessible,” Abrell said. “If Talk2m users connect to the device using the Ecatcher VPN client software, they will be redirected to the attacker.”

“This allows attackers to perform further attacks on the client being used, such as accessing network services such as RDP or SMB of the victim client. The fact that the tunnel connection itself is not restricted facilitates this attack.”

“Because network communications are forwarded to the attacker, the original network and systems can be imitated to capture victim user input, such as uploaded PLC programs or similar.”

The news comes after Microsoft discovered multiple vulnerabilities in the OpenVPN protocol that could lead to remote code execution (RCE) and local privilege escalation (LPE).