Vulnerable Root Access Exploits Found in Ewon Cosy+ Industrial Remote Tool
Reports indicate that security flaws have been exposed in the Ewon Cosy+ industrial remote access software that can potentially grant unauthorized access to the system, allowing for subsequent malicious activities.
These obtained privileges can be utilized to decipher encrypted firmware and data including passwords stored in configuration files, as well as acquire valid X.509 VPN certificates to control VPN connections of external devices.
“The exploitation of these vulnerabilities can lead to compromising VPN sessions, posing a significant threat to both Ewon Cosy+ users and surrounding industrial infrastructure,” highlights Moritz Abrell, a security researcher at SySS GmbH, in a recent study.
The discoveries were shared during a presentation at the DEF CON 32 event held recently.
As part of its structure, Ewon Cosy+ employs a VPN connection directed towards Talk2m, a platform managed by the vendor, via OpenVPN. Technicians can connect to the industrial gateway remotely using a VPN relay facilitated by OpenVPN.
The security firm from Germany identified an operating system command injection vulnerability along with a filter bypass that allowed them to execute a reverse shell by uploading a specifically crafted OpenVPN configuration file.
An attacker could potentially exploit a persistent cross-site scripting (XSS) vulnerability and the system’s practice of storing Base64-encoded credentials of the current web session in an unguarded cookie named credentials to obtain administrative control and eventually attain root access.
“Through a combination of these discovered vulnerabilities, an unauthorized party can gain root control over the Cosy+. For example, this could involve waiting for an administrator to log into the device,” stated Abrell.
Subsequently, the method could be expanded to establish persistence, access encryption keys specific to firmware, and decode the firmware update file. Moreover, an embedded key within the binary for encrypting passwords could be exploited to extract sensitive details.
“Communication between the Cosy+ and the Talk2m API is secured with mutual TLS (mTLS) authentication over HTTPS,” elaborated Abrell. “When a Cosy+ device is linked to a Talk2m account, it generates a certificate signing request with its serial number as the common name (CN) for the Talk2m API.”
Although this certificate is accessed by the device via the Talk2m API and used for OpenVPN validation, SySS discovered a flaw in relying solely on the device serial number. This gap could be exploited by threat actors to submit a certificate signing request with a forged serial number to the targeted device and successfully launch a VPN connection.
“As a consequence, the original VPN session will be overridden, rendering the original device inaccessible,” mentioned Abrell. “When Talk2m users connect to the device via the Ecatcher VPN client, they unwittingly connect to the attacker.”
This situation allows perpetrators to conduct additional attacks on the connected client, potentially gaining access to network services like RDP or SMB. The absence of restrictions on tunnel connections further facilitates this exploit.
“Since network traffic is redirected to the attacker, it’s possible to impersonate the original network and systems, intercepting the victim’s inputs such as uploaded PLC programs,” Abrell added.
These revelations coincide with Microsoft’s recent disclosure of various vulnerabilities in OpenVPN that, when combined, could enable remote code execution (RCE) and local privilege escalation (LPE) exploits.
About Author
