lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <a0ae4315-8a91-4665-93c9-5361df6c6a86@syss.de>
Date: Sun, 11 Aug 2024 19:48:32 +0200
From: Moritz Abrell via Fulldisclosure <fulldisclosure@...lists.org>
To: <fulldisclosure@...lists.org>
Subject: [FD] Execution with Unnecessary Privileges (CWE-250) CVE-2024-33894

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-033
Product:                   Ewon Cosy+
Manufacturer:              HMS Industrial Networks AB
Affected Version(s):       Firmware Versions: all versions
Tested Version(s):         Firmware Version: 21.2s7
Vulnerability Type:        Execution with Unnecessary Privileges (CWE-250)
Risk Level:                Low
Solution Status:           Open
Manufacturer Notification: 2024-04-10
Solution Date:             Not yet fixed
Public Disclosure:         2024-08-11
CVE Reference:             CVE-2024-33894
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between
the machine (PLC, HMI, or other devices) and the remote engineer.
The connection happens through Talk2m, a highly secured industrial
cloud service. The Ewon Cosy+ makes industrial remote access easy
and secure like never before!"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The Ewon Cosy+ executes all tasks and services in the context
of the user "root" and therefore with the highest system privileges.

By compromising a single service, attackers automatically gain full
system access.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Examining running processes:
$> ps
   PID USER       VSZ STAT COMMAND
     1 root      6248 S    {systemd} /sbin/init
     2 root         0 SW   [kthreadd]
     3 root         0 IW   [kworker/0:0]
     5 root         0 IW   [kworker/u2:0]
     6 root         0 IW<  [mm_percpu_wq]
     7 root         0 SW   [ksoftirqd/0]
     8 root         0 RW   [rcu_sched]
     9 root         0 IW   [rcu_bh]
   205 root      3044 S    udevd --daemon
   491 root     23344 S    /usr/lib/systemd/systemd-journald
   505 root      3524 S    /usr/lib/systemd/systemd-udevd
   530 root         0 IW   [kworker/u2:2]
   536 root     11908 S    /usr/sbin/rngd -f -r /dev/hwrng
   537 root     50364 S    /usr/sbin/ModemManager --log-journal
   538 root      2232 S    /usr/sbin/klogd -n
   539 root      2232 S    /usr/sbin/syslogd -n
   542 root      3556 S    /sbin/agetty -o -p -- \u --noclear tty1 linux
   547 root     22972 S    /usr/root/ewon/bin/modem-manager-handler
   549 root     29860 R    /usr/root/ewon/bin/sysDSupervisor
   555 root     21868 S    /usr/root/ewon/bin/sysUpdateManager
   565 root      4760 S    /usr/lib/systemd/systemd-logind
   623 root     52596 S    /usr/root/ewon/bin/ewon
   742 root     14064 S    eveusbd -p
   746 root     11696 S    /usr/sbin/chronyd -4 -n
   790 root      2232 S    udhcpc --script=/usr/root/ewon/bin/bootpdhcp/dhcpc.s
   853 root         0 IW<  [kworker/u3:3]
   926 root         0 RW   [kworker/0:2]
  1209 root         0 IW<  [kworker/0:0H]
  1274 root         0 IW<  [kworker/0:2H]
  1308 root      5004 S    openvpn --auth-nocache --config /var/run/openvpn.con
  1315 root      2496 S    sh

     [...]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

According to the manufacturer, no fix is planned for the current device
generation and it is on the roadmap for future generations.[7]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-04: Vulnerability discovered
2024-04-10: Vulnerability reported to manufacturer
2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for
             a publication date for all findings
2024-04-12: Proposed dates for a discussion about publication
2024-04-19: Manufacturer sent a technical overview of the analysis;
             a fix is planned for the next device generation
2024-04-30: CVE ID CVE-2024-33894[4] assigned by the manufacturer
2024-05-31: Manufacturer asked if the blog post[5] can be reviewed by HMS
2024-06-04: Proposed dates to review the blog post draft
2024-07-17: Blog post provided to HMS
2024-07-23: Inquiry about the status
2024-07-23: Manufacturer reviewed the blog post
2024-07-24: Manufacturer also asked for an appointment to discuss the blog
             post
2024-07-29: Discussion with HMS about the blog post and final publication
             actions
2024-08-11: Vulnerability disclosed at DEF CON[6]
2024-08-11: Blog post published[5]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website
     https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet
[2] SySS Security Advisory SYSS-2024-033
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-033.txt
[3] SySS Responsible Disclosure Policy
     https://www.syss.de/en/responsible-disclosure-policy
[4] CVE-2024-33894
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33894
[5] Blog post
     https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
[6] DEF CON talk
     https://defcon.org/html/defcon-32/dc-32-speakers.html#54521
[7] Manufacturer note
     https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@...s.de
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL:http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay45EACgkQrgyb+PE0
i1P5LRAAg9gPOXRL6URvnvUSI9Tsrqr/sNXbEm6ZxnBjmOtrSACUqvL/3G1mg31M
2zBXF/P4HnLgZPywO+XTI0F9QmwIhvGvksh/lvlMPt7sI9yk1Xt/UauSWYEEAqbT
5wyq5i9K4ni9ehV0gnoBjwo+10wLpKOWn1sXBQkN93bGDexEJbxnxE/0/+3qjd1X
WkzoZ6MvggSFTNJcF0XkHxjuvjCc8HHmto9TV8YjrzbmMvqPFVcVc/C8E5FkszFg
SRUEfDaQMZgEcvXOeLOp/FkJwLIhp8yeGAseAy7ii5ZElmwELE7maE8/sxeCym9e
f+ahwg0feHDFU1FYvY0s3sx6PJroy1K2wGS+JRXkHCC/Rn+gBkdOK+09u+GCBq3K
+o8WYE92kLOjEYzdrkMh2/XAXVqFaBA7EzX49KLZjlFhwPL/AP2Se3Jne8G1HhNw
jxmLHu1O1yBX28x6Je2COd0iNxIVgtg6skqIePZajMq1Gw9BOrzqO12IT+fr0ecO
KlTs5zGsu1GhkmoGd2MZXuV0znty4UkTw1ozsNudwqftz6y3cwDmNKPSkSgmSr6a
Ygwb0w10XncZruqZhabKLR7byfeLDiyRykQuOe3cYHmHW7X3N9wSqfzp6Bpn7bcx
Qrr1dpzCn4LJRW14C3ZQD/KEjPVIHgZ+ZIkNjHGreG+mHKygTWA=
=U9YV
-----END PGP SIGNATURE-----


Download attachment "smime.p7s" of type "application/pkcs7-signature" (4706 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ