Cybersecurity researchers have discovered critical vulnerabilities in the Ewon Cosy+, a popular industrial remote access gateway tool, enabling them to gain root access and breach the device’s security. These alarming findings, revealed at DEF CON 32, expose significant threats to industrial infrastructure and remote access systems.
The Ewon Cosy+, developed by HMS Networks, is intended to offer secure remote access to industrial systems via VPN connections. However, researchers from SySS GmbH identified multiple severe flaws that compromise the tool’s security integrity, raising concerns for industries relying on this technology.
Key security vulnerabilities identified in the Ewon Cosy+ include:
- OS Command Injection (CVE-2024-33896): Researchers discovered a method to bypass filters in user-provided OpenVPN configurations, enabling arbitrary command execution on the device.
- Insecure Permissions (CVE-2024-33894): This issue affects devices running firmware versions 21.x below 21.2s10 or 22.x below 22.1s3, leading to potential security breaches.
- Certificate Request Vulnerability (CVE-2024-33897): A compromised Cosy+ device could be exploited to request certificates for unauthorized devices, which may result in VPN session hijacking.
The exploit chain that led to root access on the Ewon Cosy+ involved a series of strategic steps centered around an OS command injection vulnerability (CVE-2024-33896). Initially, researchers identified a filter bypass in the device’s OpenVPN configuration feature by prefixing parameters with double dashes (–).
Subsequently, they crafted a malicious OpenVPN configuration file, incorporating the “–up” parameter to execute arbitrary shell commands, along with “script-security 2” to permit user-defined scripts. This configuration was then uploaded to the Cosy+ device, effectively compromising its security.
When the VPN connection was established, the device ran the command provided by the researchers, giving them root access. This elevated access allowed them to fully exploit the device, decrypting firmware files, accessing sensitive data like passwords in configuration files, and obtaining valid X.509 VPN certificates for unauthorized devices.
This vulnerability showed how a simple configuration file upload, combined with poor input validation, could lead to a complete takeover of the industrial remote access gateway.
With root access, the researchers uncovered additional critical security issues:
- Decryption of encrypted firmware files
- Access to sensitive data, including passwords
- Acquisition of valid X.509 VPN certificates for unauthorized devices
These findings have serious implications for the security of industrial networks that rely on Cosy+ devices. Attackers could potentially hijack VPN sessions and gain unauthorized access to critical industrial systems and sensitive data.
HMS Networks has responded by releasing firmware updates to fix these vulnerabilities. Users are strongly urged to update their Cosy+ devices to the latest firmware versions:
- Version 21.2s10 or later for 21.x firmware
- Version 22.1s3 or later for 22.x firmware
To mitigate these risks, industrial organizations using Ewon Cosy+ or similar remote access solutions should take immediate action:
- Update device firmware to the latest secure versions
- Implement strong network segmentation and access controls
- Regularly audit and monitor remote access activities
- Consider additional security measures like multi-factor authentication
This research highlights the critical importance of thorough security assessments for industrial remote access tools. Vulnerabilities in these systems can have far-reaching consequences for critical infrastructure and industrial operations.
