Recent security vulnerabilities have been exposed in the industrial remote access solution known as Ewon Cosy+. These vulnerabilities could potentially lead to unauthorized access with root privileges on devices, opening them up to follow-on attacks.
Attackers could use this access to decrypt encrypted firmware files, passwords in configuration files, and even acquire correctly signed X.509 VPN certificates from foreign devices to compromise their VPN sessions.
In a new analysis, security researcher Moritz Abrell from SySS GmbH highlighted the significant risks posed by such attacks on users of Cosy+ and the surrounding industrial infrastructure.
The findings were presented at the DEF CON 32 conference over the weekend.
The architecture of Ewon Cosy+ involves a VPN connection routed to a vendor-managed platform called Talk2m via OpenVPN. Technicians can remotely connect to the industrial gateway through a VPN relay using OpenVPN.
The pentest company based in Germany was able to discover an operating system command injection vulnerability and a filter bypass that allowed a reverse shell to be obtained by uploading a specially crafted OpenVPN configuration.
By exploiting a persistent cross-site scripting (XSS) vulnerability and the storage of Base64-encoded credentials in an unprotected cookie, attackers could gain administrative access and ultimately root access.
According to Abrell, an unauthenticated attacker could potentially gain root access to Cosy+ by exploiting these vulnerabilities, posing a serious security threat.
The attack chain could be extended to establish persistence, access encryption keys, decrypt firmware updates, and extract encrypted password information using a hardcoded key for password encryption stored within the binary.
Abrell explained that the communication between Cosy+ and the Talk2m API occurs through HTTPS, secured via mutual TLS (mTLS) authentication. However, SySS discovered that reliance solely on the device serial number for OpenVPN authentication could be exploited by threat actors to enroll their own certificate and initiate a VPN session on a target device, potentially taking over the original VPN session.
Abrell warned that such an attack could redirect Talk2m users to an attacker-controlled endpoint, enabling further exploitation of network services and interception of user input, posing a severe risk to the integrity of the network and systems.
The discovery of these vulnerabilities in Ewon Cosy+ coincides with Microsoft’s identification of multiple flaws in OpenVPN that could lead to remote code execution (RCE) and local privilege escalation (LPE).