| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAH8yC8ky42LYWUUaHGps1AB0Vq1=_mTJw3LaSSrj2cmYaFuO5w@mail.gmail.com> Date: Sun, 18 Aug 2024 03:10:41 -0400 From: Jeffrey Walton <noloader@...il.com> To: Moritz Abrell <moritz.abrell@...s.de> Cc: fulldisclosure@...lists.org Subject: Re: [FD] Improper Authentication (CWE-287) CVE-2024-33897 On Sun, Aug 18, 2024 at 2:39 AM Moritz Abrell via Fulldisclosure <fulldisclosure@...lists.org> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Advisory ID: SYSS-2024-043 > Product: Ewon Cosy+ / Talk2M Remote Access Solution > Manufacturer: HMS Industrial Networks AB > Affected Version(s): N.A. > Tested Version(s): N.A. > Vulnerability Type: Improper Authentication (CWE-287) > Risk Level: High > Solution Status: Fixed > Manufacturer Notification: 2024-04-17 > Solution Date: 2024-04-18 > Public Disclosure: 2024-08-11 > CVE Reference: CVE-2024-33897 > Author of Advisory: Moritz Abrell, SySS GmbH > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Overview: > > The Ewon Cosy+ is a VPN gateway used for remote access and maintenance > in industrial environments. > > The manufacturer describes the product as follows (see [1]): > > "The Ewon Cosy+ gateway establishes a secure VPN connection between > the machine (PLC, HMI, or other devices) and the remote engineer. > The connection happens through Talk2m, a highly secured industrial > cloud service. The Ewon Cosy+ makes industrial remote access easy > and secure like never before!" > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Vulnerability Details: > > During account assignment in the Talk2M platform, a Cosy+ device > generates and sends a certificate signing request (CSR) to the back end. > This CSR is then signed by the manufacturer and used for OpenVPN > authentication by the device afterward. > > Since the common name (CN) of the certificate is specified by the device > and used in order to assign the OpenVPN session to the corresponding > Talk2M account, an attacker with root access to a Cosy+ device is able > to manipulate the CSR and get correctly signed certificates for foreign > devices. > > Using these certificates for OpenVPN authentication results in hijacking > the VPN session and allows for further attacks, e.g.: > > - - Impacting the accessibility of the original device > - - Attacking the Talk2M-connected user device via the VPN connection > - - Eavesdropping and manipulating the network communication of connected > users I believe the problem lies elsewhere. The root cause is an architectural or design problem. Ewon Cosy+ should probably be using a protocol like Simple Certificate Enrollment Protocol (SCEP) or Enrollment over Secure Transport (EST), and not rolling their own scheme. Also see discussions like <https://mailarchive.ietf.org/arch/msg/pkix/X94XpFJA5sKKkLTVkOYXL_dv8t4/> and <>. Jeff _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists