Full Disclosure mailing list archives

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-017
Product:                   Ewon Cosy+
Manufacturer:              HMS Industrial Networks AB
Affected Version(s):       Firmware Versions: < 21.2s10 and < 22.1s3
Tested Version(s):         Firmware Version: 21.2s7
Vulnerability Type:        Cleartext Storage of Sensitive Information in a Cookie (CWE-315)
Risk Level:                Low
Solution Status:           Fixed
Manufacturer Notification: 2024-03-27
Solution Date:             2024-07-18
Public Disclosure:         2024-08-11
CVE Reference:             CVE-2024-33892
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between
the machine (PLC, HMI, or other devices) and the remote engineer.
The connection happens through Talk2m, a highly secured industrial
cloud service. The Ewon Cosy+ makes industrial remote access easy
and secure like never before!"

Due to cleartext storage of the password in a cookie, an attacker with
appropriate access is able to retrieve the plaintext administrative
password.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The credentials used for the basic authentication against the web
interface of Cosy+ are stored in the cookie "credentials" after a
successful login.

An attacker with access to a victim's browser is able to retrieve the
administrative password of Cosy+.

In addition, the cookie is not secured (no HttpOnly, Secure or
SameSite attribute is set). Thus, the credentials could also be extracted
in combination with cross-site scripting (XSS) vulnerabilities.

Note: During the responsible disclosure process, SySS GmbH became aware of
CVE-2015-7928[8], which describes an issue with password autocomplete
in Ewon devices. Since this function contains the problematic cookie,
this CVE may already describe the insecure cookie. SySS GmbH would therefore
like to credit the reporter of CVE-2015-7928, Karn Ganeshen.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. "credentials" cookie value: YWRtOlN1cDNyUzNjcjN0IyM=

2. Decoded credentials:
    #> echo -n "YWRtOlN1cDNyUzNjcjN0IyM=" | base64 -d
        adm:Sup3rS3cr3t##

Bonus: accessing the cookie from JavaScript code:
<script>alert("Credentials can be access via JavaScript" + document.cookie)</script>


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer note[4], the vulnerability was fixed
with the firmware versions 21.2s10 and 22.1s3.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-03-26: Vulnerability discovered
2024-03-27: Vulnerability reported to manufacturer
2024-04-02: Inquiry about the status
2024-04-05: Manufacturer acknowlegded the vulnerability and started the
            analysis
2024-04-10: Two more vulnerabilities reported to the manufacturer
            (SYSS-2024-032 and SYSS-2024-033)
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for
            a publication date for all findings
2024-04-12: Proposed dates for a discussion about publication
2024-04-15: Manufacturer sent a technical overview of planned remediation
            actions and details about the planned timeline
2024-04-15: Acknowlegded the remediation actions and asked the manufacturer
            to assign a CVE ID
2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer
2024-05-31: Manufacturer informed that the fix is in completion stage and
            asked if the blog post[6] can be reviewed by HMS
2024-06-04: Proposed dates to review the blog post draft
2024-06-21: Inquiry about the status
2024-06-21: Received an out-of-office auto reply
2024-07-01: Inquiry about the status
2024-07-04: Inquiry about the status
2024-07-12: Inquiry about the status and letting the manufacturer know that
            the vulnerability will be published within a talk at DEF CON[7]
            in August
2024-07-12: Manufacturer responded that the fix is planned by the end of
            July; manufacturer asked again for reviewing the blog post
            draft
2024-07-12: Again confirmed reviewing the blog post is possible and asking
            for the sending of details
2024-07-17: Blog post provided to HMS
2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS
2024-07-23: Inquiry about the status
2024-07-23: Manufacturer reviewed the blog post and confirmed that a
            fix is provided
2024-07-29: Discussion with HMS about the blog post and final publication
            actions
2024-08-11: Vulnerability disclosed at DEF CON[7]
2024-08-11: Blog post published[6]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website
    https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet
[2] SySS Security Advisory SYSS-2024-017
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-017.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[4] Manufacturer note
    
https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf
[5] CVE-2024-33892
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33892
[6] Blog post
    https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
[7] DEF CON talk
    https://defcon.org/html/defcon-32/dc-32-speakers.html#54521
[8] CVE-2015-7928
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7928

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell () syss de
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL:http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay4zQACgkQrgyb+PE0
i1Oq5hAApN8Ekc20CgEg5KyIFK18sKBPzSA/SeZcSdUOkv8N05riytWxbVFuLBpS
LhHH9spxUjn6Sr36JDp5dISCj9rtajrNE/adIiNC9LUhBRIr2h1ogFfh5zKK8N9D
m4CXknQ3b2QQctkuhywyKSKjvNnvxj+k6nDIFlTzXdl3e9cEpisaAFr8zt9/jb7d
ZBt8HHrEvJRCa5eBK40r0t42xFiWILh98enmLVCM2VOUnaAxz6JXLTunRSXqC6WH
SzEOR/G32z+NxNCphPuswlIqfnhoaOFQ7oP2miuGglDdm5yWQX6E+xtp5HUelmkS
DyZ6nUPOmr67lOgOUIhtIQp4zRYNiQAvDv70x9k/RCv+VDG4B5qEffFIbq6JgSCW
Q+5iQXfDEJwuj0ePIe/wO+svn7C7LOSfvRfjw39GF0gTeKhPi8cNj5S+Jpl3M6pP
XWEHcHzhVze9t5CLFgkh4GtmqH4OvWvFxn8d3x5h21eljloobUNZXAWlUYJdb6Ae
gNhWD3IKQJyPo/4cyDC5iZS6QtivjyiQUb6aU6vqKWcR7tlnr7jferG00Q3Sz8R2
ddC8Vw78j2GvzyCibNhSoKGfjQAOhYgfsH8ktRDQ/zDYguT4cHA++V16MbfXwIv0
y3mQqModAAlpqYGVf4783H24kuyP19KewZuj5dSsMTyShIcTkCU=
=LXSO
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• Cleartext Storage of Sensitive Information in a Cookie (CWE-315) CVE-2024-33892 Moritz Abrell via Fulldisclosure (Aug 17)