Full Disclosure mailing list archives

On Sun, Aug 18, 2024 at 2:39 AM Moritz Abrell via Fulldisclosure
<fulldisclosure () seclists org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-043
Product:                   Ewon Cosy+ / Talk2M Remote Access Solution
Manufacturer:              HMS Industrial Networks AB
Affected Version(s):       N.A.
Tested Version(s):         N.A.
Vulnerability Type:        Improper Authentication (CWE-287)
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2024-04-17
Solution Date:             2024-04-18
Public Disclosure:         2024-08-11
CVE Reference:             CVE-2024-33897
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between
the machine (PLC, HMI, or other devices) and the remote engineer.
The connection happens through Talk2m, a highly secured industrial
cloud service. The Ewon Cosy+ makes industrial remote access easy
and secure like never before!"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

During account assignment in the Talk2M platform, a Cosy+ device
generates and sends a certificate signing request (CSR) to the back end.
This CSR is then signed by the manufacturer and used for OpenVPN
authentication by the device afterward.

Since the common name (CN) of the certificate is specified by the device
and used in order to assign the OpenVPN session to the corresponding
Talk2M account, an attacker with root access to a Cosy+ device is able
to manipulate the CSR and get correctly signed certificates for foreign
devices.

Using these certificates for OpenVPN authentication results in hijacking
the VPN session and allows for further attacks, e.g.:

- - Impacting the accessibility of the original device
- - Attacking the Talk2M-connected user device via the VPN connection
- - Eavesdropping and manipulating the network communication of connected
   users

I believe the problem lies elsewhere. The root cause is an
architectural or design problem.

Ewon Cosy+ should probably be using a protocol like Simple Certificate
Enrollment Protocol (SCEP) or Enrollment over Secure Transport (EST),
and not rolling their own scheme. Also see discussions like
<https://mailarchive.ietf.org/arch/msg/pkix/X94XpFJA5sKKkLTVkOYXL_dv8t4/>
and <>.

Jeff
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• Improper Authentication (CWE-287) CVE-2024-33897 Moritz Abrell via Fulldisclosure (Aug 17)
  • Re: Improper Authentication (CWE-287) CVE-2024-33897 Jeffrey Walton (Aug 22)