Security
Headlines
HeadlinesLatestCVEs

Headline

Ewon Cosy+ Excessive Access

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The Ewon Cosy+ executes all tasks and services in the context of the user “root” and therefore with the highest system privileges. By compromising a single service, attackers automatically gain full system access.

Packet Storm
#vulnerability#web#mac#windows#linux#pdf#auth

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2024-033
Product: Ewon Cosy+
Manufacturer: HMS Industrial Networks AB
Affected Version(s): Firmware Versions: all versions
Tested Version(s): Firmware Version: 21.2s7
Vulnerability Type: Execution with Unnecessary Privileges (CWE-250)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2024-04-10
Solution Date: Not yet fixed
Public Disclosure: 2024-08-11
CVE Reference: CVE-2024-33894
Author of Advisory: Moritz Abrell, SySS GmbH


Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"

Vulnerability Details:

The Ewon Cosy+ executes all tasks and services in the context
of the user “root” and therefore with the highest system privileges.

By compromising a single service, attackers automatically gain full
system access.


Proof of Concept (PoC):

Examining running processes:  
$> ps  
   PID USER       VSZ STAT COMMAND  
     1 root      6248 S    {systemd} /sbin/init  
     2 root         0 SW   [kthreadd]  
     3 root         0 IW   [kworker/0:0]  
     5 root         0 IW   [kworker/u2:0]  
     6 root         0 IW<  [mm_percpu_wq]  
     7 root         0 SW   [ksoftirqd/0]  
     8 root         0 RW   [rcu_sched]  
     9 root         0 IW   [rcu_bh]  
   205 root      3044 S    udevd --daemon  
   491 root     23344 S    /usr/lib/systemd/systemd-journald  
   505 root      3524 S    /usr/lib/systemd/systemd-udevd  
   530 root         0 IW   [kworker/u2:2]  
   536 root     11908 S    /usr/sbin/rngd -f -r /dev/hwrng  
   537 root     50364 S    /usr/sbin/ModemManager --log-journal  
   538 root      2232 S    /usr/sbin/klogd -n  
   539 root      2232 S    /usr/sbin/syslogd -n  
   542 root      3556 S    /sbin/agetty -o -p -- \u --noclear tty1 linux  
   547 root     22972 S    /usr/root/ewon/bin/modem-manager-handler  
   549 root     29860 R    /usr/root/ewon/bin/sysDSupervisor  
   555 root     21868 S    /usr/root/ewon/bin/sysUpdateManager  
   565 root      4760 S    /usr/lib/systemd/systemd-logind  
   623 root     52596 S    /usr/root/ewon/bin/ewon  
   742 root     14064 S    eveusbd -p  
   746 root     11696 S    /usr/sbin/chronyd -4 -n  
   790 root      2232 S    udhcpc --script=/usr/root/ewon/bin/bootpdhcp/dhcpc.s  
   853 root         0 IW<  [kworker/u3:3]  
   926 root         0 RW   [kworker/0:2]  
  1209 root         0 IW<  [kworker/0:0H]  
  1274 root         0 IW<  [kworker/0:2H]  
  1308 root      5004 S    openvpn --auth-nocache --config /var/run/openvpn.con  
  1315 root      2496 S    sh

     [...]

Solution:

According to the manufacturer, no fix is planned for the current device
generation and it is on the roadmap for future generations.[7]


Disclosure Timeline:

2024-04-04: Vulnerability discovered  
2024-04-10: Vulnerability reported to manufacturer  
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for  
             a publication date for all findings  
2024-04-12: Proposed dates for a discussion about publication  
2024-04-19: Manufacturer sent a technical overview of the analysis;  
             a fix is planned for the next device generation  
2024-04-30: CVE ID CVE-2024-33894[4] assigned by the manufacturer  
2024-05-31: Manufacturer asked if the blog post[5] can be reviewed by HMS  
2024-06-04: Proposed dates to review the blog post draft  
2024-07-17: Blog post provided to HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post  
2024-07-24: Manufacturer also asked for an appointment to discuss the blog  
             post  
2024-07-29: Discussion with HMS about the blog post and final publication  
             actions  
2024-08-11: Vulnerability disclosed at DEF CON[6]  
2024-08-11: Blog post published[5]

References:

[1] Ewon Cosy+ product website
https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet
[2] SySS Security Advisory SYSS-2024-033
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-033.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
[4] CVE-2024-33894
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33894
[5] Blog post
https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
[6] DEF CON talk
https://defcon.org/html/defcon-32/dc-32-speakers.html#54521
[7] Manufacturer note
https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001–ewon-several-cosy–vulnerabilities.pdf


Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:[email protected]  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

Disclaimer:

The information provided in this security advisory is provided “as is”
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.


Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay45EACgkQrgyb+PE0  
i1P5LRAAg9gPOXRL6URvnvUSI9Tsrqr/sNXbEm6ZxnBjmOtrSACUqvL/3G1mg31M  
2zBXF/P4HnLgZPywO+XTI0F9QmwIhvGvksh/lvlMPt7sI9yk1Xt/UauSWYEEAqbT  
5wyq5i9K4ni9ehV0gnoBjwo+10wLpKOWn1sXBQkN93bGDexEJbxnxE/0/+3qjd1X  
WkzoZ6MvggSFTNJcF0XkHxjuvjCc8HHmto9TV8YjrzbmMvqPFVcVc/C8E5FkszFg  
SRUEfDaQMZgEcvXOeLOp/FkJwLIhp8yeGAseAy7ii5ZElmwELE7maE8/sxeCym9e  
f+ahwg0feHDFU1FYvY0s3sx6PJroy1K2wGS+JRXkHCC/Rn+gBkdOK+09u+GCBq3K  
+o8WYE92kLOjEYzdrkMh2/XAXVqFaBA7EzX49KLZjlFhwPL/AP2Se3Jne8G1HhNw  
jxmLHu1O1yBX28x6Je2COd0iNxIVgtg6skqIePZajMq1Gw9BOrzqO12IT+fr0ecO  
KlTs5zGsu1GhkmoGd2MZXuV0znty4UkTw1ozsNudwqftz6y3cwDmNKPSkSgmSr6a  
Ygwb0w10XncZruqZhabKLR7byfeLDiyRykQuOe3cYHmHW7X3N9wSqfzp6Bpn7bcx  
Qrr1dpzCn4LJRW14C3ZQD/KEjPVIHgZ+ZIkNjHGreG+mHKygTWA=  
=U9YV  
-----END PGP SIGNATURE-----

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution