Advisory ID: SYSS-2024-033
Product: Ewon Cosy+
Manufacturer: HMS Industrial Networks AB
Affected Version(s): Firmware Versions: all versions
Tested Version(s): Firmware Version: 21.2s7
Vulnerability Type: Execution with Unnecessary Privileges (CWE-250)
Risk Level: Low
Solution Status: Open
Manufacturer Notification: 2024-04-10
Solution Date: Not yet fixed
Public Disclosure: 2024-08-11
CVE Reference: CVE-2024-33894
Author of Advisory: Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between
the machine (PLC, HMI, or other devices) and the remote engineer.
The connection happens through Talk2m, a highly secured industrial
cloud service. The Ewon Cosy+ makes industrial remote access easy
and secure like never before!"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The Ewon Cosy+ executes all tasks and services in the context
of the user "root" and therefore with the highest system privileges.

By compromising a single service, attackers automatically gain full
system access.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Examining running processes:
$> ps
PID USER VSZ STAT COMMAND
1 root 6248 S {systemd} /sbin/init
2 root 0 SW [kthreadd]
3 root 0 IW [kworker/0:0]
5 root 0 IW [kworker/u2:0]
6 root 0 IW< [mm_percpu_wq]
7 root 0 SW [ksoftirqd/0]
8 root 0 RW [rcu_sched]
9 root 0 IW [rcu_bh]
205 root 3044 S udevd --daemon
491 root 23344 S /usr/lib/systemd/systemd-journald
505 root 3524 S /usr/lib/systemd/systemd-udevd
530 root 0 IW [kworker/u2:2]
536 root 11908 S /usr/sbin/rngd -f -r /dev/hwrng
537 root 50364 S /usr/sbin/ModemManager --log-journal
538 root 2232 S /usr/sbin/klogd -n
539 root 2232 S /usr/sbin/syslogd -n
542 root 3556 S /sbin/agetty -o -p -- \u --noclear tty1 linux
547 root 22972 S /usr/root/ewon/bin/modem-manager-handler
549 root 29860 R /usr/root/ewon/bin/sysDSupervisor
555 root 21868 S /usr/root/ewon/bin/sysUpdateManager
565 root 4760 S /usr/lib/systemd/systemd-logind
623 root 52596 S /usr/root/ewon/bin/ewon
742 root 14064 S eveusbd -p
746 root 11696 S /usr/sbin/chronyd -4 -n
790 root 2232 S udhcpc --script=/usr/root/ewon/bin/bootpdhcp/dhcpc.s
853 root 0 IW< [kworker/u3:3]
926 root 0 RW [kworker/0:2]
1209 root 0 IW< [kworker/0:0H]
1274 root 0 IW< [kworker/0:2H]
1308 root 5004 S openvpn --auth-nocache --config /var/run/openvpn.con
1315 root 2496 S sh

[...]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer, no fix is planned for the current device
generation and it is on the roadmap for future generations.[7]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-04: Vulnerability discovered
2024-04-10: Vulnerability reported to manufacturer
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for
a publication date for all findings
2024-04-12: Proposed dates for a discussion about publication
2024-04-19: Manufacturer sent a technical overview of the analysis;
a fix is planned for the next device generation
2024-04-30: CVE ID CVE-2024-33894[4] assigned by the manufacturer
2024-05-31: Manufacturer asked if the blog post[5] can be reviewed by HMS
2024-06-04: Proposed dates to review the blog post draft
2024-07-17: Blog post provided to HMS
2024-07-23: Inquiry about the status
2024-07-23: Manufacturer reviewed the blog post
2024-07-24: Manufacturer also asked for an appointment to discuss the blog
post
2024-07-29: Discussion with HMS about the blog post and final publication
actions
2024-08-11: Vulnerability disclosed at DEF CON[6]
2024-08-11: Blog post published[5]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website
https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet
[2] SySS Security Advisory SYSS-2024-033
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-033.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy
[4] CVE-2024-33894
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33894
[5] Blog post
https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
[6] DEF CON talk
https://defcon.org/html/defcon-32/dc-32-speakers.html#54521
[7] Manufacturer note
https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:[email protected]
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL:http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay45EACgkQrgyb+PE0
i1P5LRAAg9gPOXRL6URvnvUSI9Tsrqr/sNXbEm6ZxnBjmOtrSACUqvL/3G1mg31M
2zBXF/P4HnLgZPywO+XTI0F9QmwIhvGvksh/lvlMPt7sI9yk1Xt/UauSWYEEAqbT
5wyq5i9K4ni9ehV0gnoBjwo+10wLpKOWn1sXBQkN93bGDexEJbxnxE/0/+3qjd1X
WkzoZ6MvggSFTNJcF0XkHxjuvjCc8HHmto9TV8YjrzbmMvqPFVcVc/C8E5FkszFg
SRUEfDaQMZgEcvXOeLOp/FkJwLIhp8yeGAseAy7ii5ZElmwELE7maE8/sxeCym9e
f+ahwg0feHDFU1FYvY0s3sx6PJroy1K2wGS+JRXkHCC/Rn+gBkdOK+09u+GCBq3K
+o8WYE92kLOjEYzdrkMh2/XAXVqFaBA7EzX49KLZjlFhwPL/AP2Se3Jne8G1HhNw
jxmLHu1O1yBX28x6Je2COd0iNxIVgtg6skqIePZajMq1Gw9BOrzqO12IT+fr0ecO
KlTs5zGsu1GhkmoGd2MZXuV0znty4UkTw1ozsNudwqftz6y3cwDmNKPSkSgmSr6a
Ygwb0w10XncZruqZhabKLR7byfeLDiyRykQuOe3cYHmHW7X3N9wSqfzp6Bpn7bcx
Qrr1dpzCn4LJRW14C3ZQD/KEjPVIHgZ+ZIkNjHGreG+mHKygTWA=
=U9YV
-----END PGP SIGNATURE-----