Get an AI Summary of This Article
Want a quick summary? Let AI help you digest the key points from this article.
Summarize in
or
Security flaws have been identified in the Ewon Cosy+ industrial remote access solution, potentially allowing attackers to gain root privileges on the devices and conduct further malicious activities.
These vulnerabilities could be exploited to decrypt encrypted firmware and data, such as passwords, and even obtain correctly signed X.509 VPN certificates to hijack VPN sessions, posing serious security risks to both users and adjacent industrial infrastructures.
The vulnerabilities were disclosed by SySS GmbH security researcher Moritz Abrell during the DEF CON 32 conference. The flaws include an operating system command injection vulnerability and a filter bypass, which could be used to execute a reverse shell by uploading a manipulated OpenVPN configuration.
Additionally, a persistent cross-site scripting (XSS) vulnerability and unprotected cookies containing Base64-encoded credentials allow an unauthenticated attacker to gain administrative access and ultimately root the device.
The attack chain can be extended further to establish persistence, access firmware-specific encryption keys, and decrypt firmware update files. Moreover, the exploitation of a hard-coded key within the binary for password encryption could enable attackers to extract sensitive secrets.
Industrial Remote Access Tool Ewon Cosy+ Vulnerable to Root Access Attacks. Security vulnerabilities have been disclosed in the industrial remote access solution Ewon Cosy+ that could be abused to gain root privileges… https://t.co/x5Qxqstsgd #InceptusSecure #UnderOurProtection
— Inceptus (@Inceptus3) August 12, 2024
A critical aspect of this vulnerability is the communication between Cosy+ devices and the Talk2m API, which relies on HTTPS and mutual TLS (mTLS) authentication. However, the use of a device’s serial number as the sole identifier in certificate signing requests (CSR) can be exploited, allowing an attacker to initiate their own VPN session, effectively hijacking the original connection and accessing the target’s network services, such as RDP or SMB.
These vulnerabilities underscore the need for enhanced security measures in industrial remote access solutions to prevent potential exploitation by malicious actors.
Get an AI Summary of This Article
Want a quick summary? Let AI help you digest the key points from this article.
Share This Article
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
