Security vulnerabilities have been identified in the industrial remote access solution Ewon Cosy+, which could be exploited to gain root privileges on the devices and launch further attacks.
With elevated access, attackers could decrypt encrypted firmware files and data, such as passwords stored in configuration files, and even obtain valid X.509 VPN certificates for other devices, enabling them to hijack VPN sessions.
“This allows attackers to hijack VPN sessions, posing significant security risks to Cosy+ users and the surrounding industrial infrastructure,” said Moritz Abrell, a security researcher at SySS GmbH, in a recent analysis.
The vulnerabilities were disclosed during the DEF CON 32 conference held over the weekend.
The Ewon Cosy+ system uses a VPN connection routed to a vendor-managed platform called Talk2m via OpenVPN. Technicians can remotely access the industrial gateway through a VPN relay facilitated by OpenVPN.
The Germany-based penetration testing company revealed that it discovered an operating system command injection vulnerability and a filter bypass, which allowed them to obtain a reverse shell by uploading a specially crafted OpenVPN configuration file.
An attacker could then exploit a persistent cross-site scripting (XSS) vulnerability and the fact that the device stores Base64-encoded credentials of the current web session in an unprotected cookie named “credentials” to gain administrative access and, ultimately, root access.
“An unauthenticated attacker could achieve root access to the Cosy+ by combining these vulnerabilities, for instance, by waiting for an admin user to log in to the device,” Abrell explained.
The attack chain could be further extended to establish persistence, access firmware-specific encryption keys, and decrypt the firmware update file. Additionally, a hard-coded key within the binary for password encryption could be used to extract sensitive information.
“The communication between the Cosy+ and the Talk2m API is secured via HTTPS and mutual TLS (mTLS) authentication,” Abrell noted. “When a Cosy+ device is linked to a Talk2m account, it generates a certificate signing request (CSR) containing its serial number as the common name (CN) and sends it to the Talk2m API.”
This certificate, accessible through the Talk2m API, is used for OpenVPN authentication. However, SySS discovered that relying solely on the device’s serial number could be exploited by a threat actor to enroll their own CSR with the same serial number as the target device and successfully initiate a VPN session.
“The original VPN session will be overwritten, rendering the original device inaccessible,” Abrell added. “If Talk2m users connect to the device using the VPN client software Ecatcher, they will be redirected to the attacker.”
“This enables attackers to launch further attacks against the connected client, such as accessing network services like RDP or SMB. The lack of restrictions on the tunnel connection facilitates this attack.”
“Since the network communication is redirected to the attacker, the original network and systems could be mimicked to intercept the victim’s input, such as uploaded PLC programs or similar data.”
This development coincides with Microsoft’s discovery of multiple vulnerabilities in OpenVPN that could be chained together to achieve remote code execution (RCE) and local privilege escalation (LPE).
