August 12, 2024 at 03:45AM
Vulnerabilities in Ewon Cosy+ industrial remote access solution could allow attackers to gain root privileges, decrypt encrypted data, and hijack VPN sessions, posing significant security risks. The findings were presented at DEF CON 32. Attackers could exploit OpenVPN vulnerabilities to gain administrative and ultimately root access, compromise VPN sessions, and intercept user input.
From the meeting notes, the following key takeaways can be summarized:
1. Security vulnerabilities have been disclosed in the industrial remote access solution Ewon Cosy+, potentially allowing attackers to gain root privileges and stage follow-on attacks.
2. The vulnerabilities could be exploited to decrypt encrypted firmware files, passwords, and obtain correctly signed X.509 VPN certificates for foreign devices to take over their VPN sessions.
3. Attacks could be executed by hijacking VPN sessions, leading to significant security risks against users of the Cosy+ and adjacent industrial infrastructure.
4. The Ewon Cosy+ architecture involves the use of a VPN connection routed to a vendor-managed platform called Talk2m via OpenVPN. Technicians can remotely connect to the industrial gateway through a VPN relay using OpenVPN.
5. The vulnerabilities discovered include operating system command injection, filter bypass, cross-site scripting (XSS), and a hard-coded key stored within the binary for password encryption.
6. An unauthenticated attacker could gain root access to the Cosy+ by exploiting the found vulnerabilities and waiting for an admin user to log in to the device.
7. The communication between the Cosy+ and the Talk2m API is done via HTTPS and secured via mutual TLS (mTLS) authentication, but there are exploitable weaknesses in the certificate management process.
8. The original VPN session could be overwritten, allowing attackers to access network services and intercept victim’s user input, posing further security risks.
9. These vulnerabilities in OpenVPN are in addition to multiple flaws uncovered by Microsoft, potentially leading to remote code execution (RCE) and local privilege escalation (LPE).
These clear takeaways provide a comprehensive understanding of the security vulnerabilities discussed at the meeting.