Security researchers have uncovered severe vulnerabilities in the Ewon Cosy+, a widely used industrial remote access gateway tool, allowing them to gain root access and compromise the device’s security. The findings, presented at DEF CON 32, highlight significant risks to industrial infrastructure and remote access systems.
The Ewon Cosy+, developed by HMS Networks, is designed to provide secure remote access to industrial systems through VPN connections. However, researchers from SySS GmbH discovered multiple critical flaws that undermine its security promises.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Key vulnerabilities identified include:
- OS Command Injection (CVE-2024-33896): Researchers found a way to bypass filters in user-provided OpenVPN configurations, allowing arbitrary command execution.
- Insecure Permissions (CVE-2024-33894): Affecting devices running firmware versions 21.x below 21.2s10 or 22.x below 22.1s3.
- Certificate Request Vulnerability (CVE-2024-33897): A compromised Cosy+ device could be used to request certificates for unauthorized devices, potentially leading to VPN session hijacking.
The exploit chain for gaining root access to the Ewon Cosy+ device involved a series of steps leveraging an OS command injection vulnerability (CVE-2024-33896). Researchers first discovered a filter bypass in the device’s OpenVPN configuration functionality by prefixing parameters with two dashes (–).
They then crafted a malicious OpenVPN configuration file that included the “–up” parameter to execute arbitrary shell commands, along with “script-security 2” to allow user-defined scripts. This configuration was uploaded to the Cosy+ device.
When the VPN connection was established, the device executed the specified command (in this case, “id”) as root, confirming successful command execution and granting the researchers root access.
With this elevated privilege, they were able to exploit the device further, decrypting encrypted firmware files, accessing sensitive data including passwords in configuration files, and obtaining correctly signed X.509 VPN certificates for unauthorized devices.
This chain of exploitation demonstrated how a seemingly simple configuration file upload feature, combined with insufficient input validation, could lead to complete compromise of the industrial remote access gateway.
With root access, researchers uncovered additional security issues:
- Ability to decrypt encrypted firmware files
- Access to encrypted data, including passwords in configuration files
- Acquisition of correctly signed X.509 VPN certificates for foreign devices
These findings have severe implications for the security of industrial networks relying on Cosy+ devices. Attackers could hijack VPN sessions, gaining unauthorized access to sensitive industrial systems and data.
HMS Networks has responded to these discoveries by releasing firmware updates to address the identified vulnerabilities. Users are strongly advised to update their Cosy+ devices to the latest firmware versions:
- 21.2s10 or later for 21.x firmware
- 22.1s3 or later for 22.x firmware
In light of these findings, industrial organizations using Ewon Cosy+ or similar remote access solutions should take immediate action to mitigate risks:
- Update device firmware to the latest secure versions
- Implement strong network segmentation and access controls
- Regularly audit and monitor remote access activities
- Consider additional security layers, such as multi-factor authentication
This research underscores the critical importance of thorough security assessments for industrial remote access tools, as vulnerabilities in these systems can have far-reaching consequences for critical infrastructure and industrial operations.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access