Recently, severe security flaws were identified in the Ewon Cosy+ industrial remote access devices, which could allow attackers to gain complete control over the systems. This vulnerability presents a serious risk, as it could lead to unauthorised access, allowing attackers to decrypt sensitive data, steal credentials, and hijack VPN sessions to launch further attacks on industrial networks.
Root Access Exploits and VPN Session Hijacking
Security researcher Moritz Abrell from SySS GmbH brought these critical vulnerabilities to light during a presentation at DEF CON 32. The identified flaws could enable attackers to achieve root-level access on Ewon Cosy+ devices, providing them with the ability to decrypt protected firmware and data, such as passwords stored in configuration files. More alarmingly, attackers could obtain valid VPN certificates, enabling them to take over VPN sessions, thereby compromising the security of both the devices and the connected industrial networks.
Ewon, in response to these findings, issued a security update on July 29, 2024, which addresses these vulnerabilities in the latest firmware versions. The update tackles several issues, including data leaks through cookies, cross-site scripting (XSS) vulnerabilities, and improper encryption practices. Notably, the update fixes critical issues such as the ability to execute processes with elevated privileges and vulnerabilities that could allow attackers to inject malicious code.
How the Vulnerabilities Were Exploited
The Ewon Cosy+ system relies on a VPN connection that is managed through a platform called Talk2m, which uses OpenVPN for secure communication. Researchers found that it was possible to exploit a command injection vulnerability within the system, allowing unauthorised access to the device. Additionally, a persistent XSS vulnerability was discovered, which could be used to gain administrative control.
One particularly troubling vulnerability involved the storage of session credentials in an unprotected cookie, encoded in Base64. This flaw allows an attacker to gain root access by simply waiting for an administrator to log in to the device. With root access, attackers can install persistent threats, extract encryption keys, and decrypt sensitive firmware files. The presence of a hard-coded encryption key within the system further heightens the risk, as it can be used to extract even more sensitive data.
Risk of VPN Session Takeover
Among the concerning risks associated with these vulnerabilities is the possibility of VPN session hijacking. The Ewon Cosy+ devices communicate with the Talk2m platform via HTTPS, using mutual TLS (mTLS) for authentication. However, the system's reliance on the device's serial number for generating Certificate Signing Requests (CSR) poses a security flaw. An attacker could exploit this weakness by creating a CSR with a serial number matching the target device, thereby hijacking the VPN session and rendering the original device inaccessible.
Once the VPN session is taken over, the attacker can reroute the connection to their infrastructure, potentially intercepting critical data, such as programmable logic controller (PLC) programs, which are essential to the operation of industrial systems.
This is a reminder of the challenges faced in securing industrial remote access solutions. The potential for attackers to gain root access and hijack VPN sessions could have devastating consequences, not only for the individual devices but also for the wider industrial networks they are connected to.
Organisations using Ewon Cosy+ devices are strongly urged to apply the recommended firmware updates immediately and review their security protocols to minimise the risk of exploitation. Regular updates and stringent security practices are essential to protecting industrial systems from the developing threat of cyberattacks.
As attackers continue to exploit weaknesses in remote access tools, it is critical for companies to remain proactive in securing their systems. By addressing these vulnerabilities promptly and ensuring their systems are up to date, organisations can protect their infrastructure from the risks posed by these security flaws.
