Researchers Hacked Industrial Remote Access Gateway Tool to Gain Root Access

Security researchers enjoy uncovered excessive vulnerabilities in the Ewon Cosy+, a broadly frail industrial a long way off salvage admission to gateway instrument, allowing them to assemble root salvage admission to and compromise the instrument’s safety. The findings, presented at DEF CON 32, highlight most well-known risks to industrial infrastructure and a long way off salvage admission to systems.

The Ewon Cosy+, developed by HMS Networks, is designed to provide accurate a long way off salvage admission to to industrial systems via VPN connections. Nonetheless, researchers from SySS GmbH stumbled on a number of excessive flaws that undermine its safety promises.

Key vulnerabilities identified encompass:

1. OS Dispute Injection (CVE-2024-33896): Researchers stumbled on a design to circumvent filters in user-supplied OpenVPN configurations, allowing arbitrary bid execution.
2. Alarmed Permissions (CVE-2024-33894): Affecting devices running firmware variations 21.x below 21.2s10 or 22.x below 22.1s3.
3. Certificates Inquire Vulnerability (CVE-2024-33897): A compromised Cosy+ instrument would per chance be frail to interrogate certificates for unauthorized devices, potentially main to VPN session hijacking.

The exploit chain for gaining root salvage admission to to the Ewon Cosy+ instrument enthusiastic a series of steps leveraging an OS bid injection vulnerability (CVE-2024-33896). Researchers first stumbled on a filter bypass in the instrument’s OpenVPN configuration functionality by prefixing parameters with two dashes (–).

They then crafted a malicious OpenVPN configuration file that incorporated the “–up” parameter to put arbitrary shell instructions, along with “script-safety 2” to enable user-defined scripts. This configuration used to be uploaded to the Cosy+ instrument.

When the VPN connection used to be established, the instrument completed the specified bid (in this case, “id”) as root, confirming profitable bid execution and granting the researchers root salvage admission to.

With this elevated privilege, they were in a lisp to exploit the instrument additional, decrypting encrypted firmware files, gaining access to gentle files including passwords in configuration files, and acquiring as it must be signed X.509 VPN certificates for unauthorized devices.

This chain of exploitation demonstrated how a reputedly easy configuration file upload unbiased, mixed with inadequate input validation, would possibly per chance well seemingly additionally outcome in complete compromise of the industrial a long way off salvage admission to gateway.

With root salvage admission to, researchers uncovered extra safety points:

• Skill to decrypt encrypted firmware files
• Safe admission to to encrypted files, including passwords in configuration files
• Acquisition of as it must be signed X.509 VPN certificates for international devices

These findings enjoy excessive implications for the protection of industrial networks relying on Cosy+ devices. Attackers would possibly per chance well seemingly additionally hijack VPN classes, gaining unauthorized salvage admission to to gentle industrial systems and files.

HMS Networks has answered to these discoveries by releasing firmware updates to address the identified vulnerabilities. Users are strongly urged to update their Cosy+ devices to primarily the most modern firmware variations:

• 21.2s10 or later for 21.x firmware
• 22.1s3 or later for 22.x firmware

In light of those findings, industrial organizations the use of Ewon Cosy+ or similar a long way off salvage admission to solutions would possibly per chance well seemingly additionally peaceable steal instantaneous movement to mitigate risks:

1. Update instrument firmware to primarily the most modern accurate variations
2. Implement stable network segmentation and salvage admission to controls
3. On a in vogue basis audit and visual display unit a long way off salvage admission to activities
4. Draw shut into consideration extra safety layers, equivalent to multi-element authentication

This analysis underscores the excessive importance of thorough safety assessments for industrial a long way off salvage admission to tools, as vulnerabilities in these systems can enjoy a long way-reaching penalties for excessive infrastructure and industrial operations.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access