Full Disclosure mailing list archives

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-033
Product:                   Ewon Cosy+
Manufacturer:              HMS Industrial Networks AB
Affected Version(s):       Firmware Versions: all versions
Tested Version(s):         Firmware Version: 21.2s7
Vulnerability Type:        Execution with Unnecessary Privileges (CWE-250)
Risk Level:                Low
Solution Status:           Open
Manufacturer Notification: 2024-04-10
Solution Date:             Not yet fixed
Public Disclosure:         2024-08-11
CVE Reference:             CVE-2024-33894
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between
the machine (PLC, HMI, or other devices) and the remote engineer.
The connection happens through Talk2m, a highly secured industrial
cloud service. The Ewon Cosy+ makes industrial remote access easy
and secure like never before!"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The Ewon Cosy+ executes all tasks and services in the context
of the user "root" and therefore with the highest system privileges.

By compromising a single service, attackers automatically gain full
system access.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Examining running processes:
$> ps
  PID USER       VSZ STAT COMMAND
    1 root      6248 S    {systemd} /sbin/init
    2 root         0 SW   [kthreadd]
    3 root         0 IW   [kworker/0:0]
    5 root         0 IW   [kworker/u2:0]
    6 root         0 IW<  [mm_percpu_wq]
    7 root         0 SW   [ksoftirqd/0]
    8 root         0 RW   [rcu_sched]
    9 root         0 IW   [rcu_bh]
  205 root      3044 S    udevd --daemon
  491 root     23344 S    /usr/lib/systemd/systemd-journald
  505 root      3524 S    /usr/lib/systemd/systemd-udevd
  530 root         0 IW   [kworker/u2:2]
  536 root     11908 S    /usr/sbin/rngd -f -r /dev/hwrng
  537 root     50364 S    /usr/sbin/ModemManager --log-journal
  538 root      2232 S    /usr/sbin/klogd -n
  539 root      2232 S    /usr/sbin/syslogd -n
  542 root      3556 S    /sbin/agetty -o -p -- \u --noclear tty1 linux
  547 root     22972 S    /usr/root/ewon/bin/modem-manager-handler
  549 root     29860 R    /usr/root/ewon/bin/sysDSupervisor
  555 root     21868 S    /usr/root/ewon/bin/sysUpdateManager
  565 root      4760 S    /usr/lib/systemd/systemd-logind
  623 root     52596 S    /usr/root/ewon/bin/ewon
  742 root     14064 S    eveusbd -p
  746 root     11696 S    /usr/sbin/chronyd -4 -n
  790 root      2232 S    udhcpc --script=/usr/root/ewon/bin/bootpdhcp/dhcpc.s
  853 root         0 IW<  [kworker/u3:3]
  926 root         0 RW   [kworker/0:2]
 1209 root         0 IW<  [kworker/0:0H]
 1274 root         0 IW<  [kworker/0:2H]
 1308 root      5004 S    openvpn --auth-nocache --config /var/run/openvpn.con
 1315 root      2496 S    sh

    [...]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer, no fix is planned for the current device
generation and it is on the roadmap for future generations.[7]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-04: Vulnerability discovered
2024-04-10: Vulnerability reported to manufacturer
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for
            a publication date for all findings
2024-04-12: Proposed dates for a discussion about publication
2024-04-19: Manufacturer sent a technical overview of the analysis;
            a fix is planned for the next device generation
2024-04-30: CVE ID CVE-2024-33894[4] assigned by the manufacturer
2024-05-31: Manufacturer asked if the blog post[5] can be reviewed by HMS
2024-06-04: Proposed dates to review the blog post draft
2024-07-17: Blog post provided to HMS
2024-07-23: Inquiry about the status
2024-07-23: Manufacturer reviewed the blog post
2024-07-24: Manufacturer also asked for an appointment to discuss the blog
            post
2024-07-29: Discussion with HMS about the blog post and final publication
            actions
2024-08-11: Vulnerability disclosed at DEF CON[6]
2024-08-11: Blog post published[5]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website
    https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet
[2] SySS Security Advisory SYSS-2024-033
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-033.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] CVE-2024-33894
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33894
[5] Blog post
    https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
[6] DEF CON talk
    https://defcon.org/html/defcon-32/dc-32-speakers.html#54521
[7] Manufacturer note
    
https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell () syss de
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL:http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay45EACgkQrgyb+PE0
i1P5LRAAg9gPOXRL6URvnvUSI9Tsrqr/sNXbEm6ZxnBjmOtrSACUqvL/3G1mg31M
2zBXF/P4HnLgZPywO+XTI0F9QmwIhvGvksh/lvlMPt7sI9yk1Xt/UauSWYEEAqbT
5wyq5i9K4ni9ehV0gnoBjwo+10wLpKOWn1sXBQkN93bGDexEJbxnxE/0/+3qjd1X
WkzoZ6MvggSFTNJcF0XkHxjuvjCc8HHmto9TV8YjrzbmMvqPFVcVc/C8E5FkszFg
SRUEfDaQMZgEcvXOeLOp/FkJwLIhp8yeGAseAy7ii5ZElmwELE7maE8/sxeCym9e
f+ahwg0feHDFU1FYvY0s3sx6PJroy1K2wGS+JRXkHCC/Rn+gBkdOK+09u+GCBq3K
+o8WYE92kLOjEYzdrkMh2/XAXVqFaBA7EzX49KLZjlFhwPL/AP2Se3Jne8G1HhNw
jxmLHu1O1yBX28x6Je2COd0iNxIVgtg6skqIePZajMq1Gw9BOrzqO12IT+fr0ecO
KlTs5zGsu1GhkmoGd2MZXuV0znty4UkTw1ozsNudwqftz6y3cwDmNKPSkSgmSr6a
Ygwb0w10XncZruqZhabKLR7byfeLDiyRykQuOe3cYHmHW7X3N9wSqfzp6Bpn7bcx
Qrr1dpzCn4LJRW14C3ZQD/KEjPVIHgZ+ZIkNjHGreG+mHKygTWA=
=U9YV
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• Execution with Unnecessary Privileges (CWE-250) CVE-2024-33894 Moritz Abrell via Fulldisclosure (Aug 17)