Security vulnerabilities have been disclosed in the industrial remote access solution Ewon Cosy+ that could be exploited to gain root privileges to the devices and launch follow-on attacks.
The elevated access could then be used to decrypt encrypted firmware files and encrypted data such as passwords in configuration files, and even acquire correctly signed X.509 VPN certificates for foreign devices to take over their VPN sessions.
“This allows attackers hijacking VPN sessions which results in significant security risks against users of the Cosy+ and the adjacent industrial infrastructure,” SySS GmbH security researcher Moritz Abrell stated in a recent analysis.
The discoveries were shared at the DEF CON 32 conference over the weekend.
Ewon Cosy+’s system involves the use of a VPN connection that routes to a vendor-managed platform called Talk2m via OpenVPN. Technicians can remotely connect to the industrial gateway through a VPN relay that occurs via OpenVPN.
The pentest company based in Germany revealed an operating system command injection vulnerability and a filter bypass, allowing for the acquisition of a reverse shell by uploading a specially crafted OpenVPN configuration.
An attacker could then leverage a persistent cross-site scripting (XSS) vulnerability and the fact that the device stores the Base64-encoded credentials of the current web session in an unprotected cookie named credentials to gain administrative access and ultimately root access.
“An unauthenticated attacker can gain root access to the Cosy+ by leveraging the discovered vulnerabilities and e.g., waiting for an admin user to log in to the device,” Abrell mentioned.
The attack chain could then be extended further to establish persistence, access firmware-specific encryption keys, and decrypt the firmware update file. Additionally, a hard-coded key stored within the binary for password encryption could be used to extract the secrets.
“The communication between the Cosy+ and the Talk2m API is done via HTTPS and secured via mutual TLS (mTLS) authentication,” Abrell explained. “If a Cosy+ device is assigned to a Talk2m account, the device generates a certificate signing request (CSR) containing its serial number as common name (CN) and sends it to the Talk2m API.”
This certificate, which can be accessed via the Talk2m API by the device, is used for OpenVPN authentication. However, SySS found that the sole reliance on the device serial number could be exploited by a threat actor to enroll their own CSR with a serial number if a target device and successfully initiate a VPN session.
“The original VPN session will be overwritten, and thus the original device is not accessible anymore,” Abrell said. “If Talk2m users connect to the device using the VPN client software Ecatcher, they will be forwarded to the attacker.”
“This allows attackers to conduct further attacks against the used client, for example accessing network services such as RDP or SMB of the victim client. The fact that the tunnel connection itself is not restricted favors this attack.”
“Since the network communication is forwarded to the attacker, the original network and systems could be imitated in order to intercept the victim’s user input such as the uploaded PLC programs or similar.”
This development coincides with Microsoft’s discovery of multiple flaws in OpenVPN that could be combined to achieve remote code execution (RCE) and local privilege escalation (LPE).