Re: Improper Authentication (CWE-287) CVE-2024-33897

[Jeffrey Walton <noloader () gmail com>]

On Sun, Aug 18, 2024 at 2:39 AM Moritz Abrell via Fulldisclosure
<fulldisclosure () seclists org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Advisory ID:               SYSS-2024-043
> Product:                   Ewon Cosy+ / Talk2M Remote Access Solution
> Manufacturer:              HMS Industrial Networks AB
> Affected Version(s):       N.A.
> Tested Version(s):         N.A.
> Vulnerability Type:        Improper Authentication (CWE-287)
> Risk Level:                High
> Solution Status:           Fixed
> Manufacturer Notification: 2024-04-17
> Solution Date:             2024-04-18
> Public Disclosure:         2024-08-11
> CVE Reference:             CVE-2024-33897
> Author of Advisory:        Moritz Abrell, SySS GmbH
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Overview:
>
> The Ewon Cosy+ is a VPN gateway used for remote access and maintenance
> in industrial environments.
>
> The manufacturer describes the product as follows (see [1]):
>
> "The Ewon Cosy+ gateway establishes a secure VPN connection between
> the machine (PLC, HMI, or other devices) and the remote engineer.
> The connection happens through Talk2m, a highly secured industrial
> cloud service. The Ewon Cosy+ makes industrial remote access easy
> and secure like never before!"
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Vulnerability Details:
>
> During account assignment in the Talk2M platform, a Cosy+ device
> generates and sends a certificate signing request (CSR) to the back end.
> This CSR is then signed by the manufacturer and used for OpenVPN
> authentication by the device afterward.
>
> Since the common name (CN) of the certificate is specified by the device
> and used in order to assign the OpenVPN session to the corresponding
> Talk2M account, an attacker with root access to a Cosy+ device is able
> to manipulate the CSR and get correctly signed certificates for foreign
> devices.
>
> Using these certificates for OpenVPN authentication results in hijacking
> the VPN session and allows for further attacks, e.g.:
>
> - - Impacting the accessibility of the original device
> - - Attacking the Talk2M-connected user device via the VPN connection
> - - Eavesdropping and manipulating the network communication of connected
>    users

I believe the problem lies elsewhere. The root cause is an
architectural or design problem.

Ewon Cosy+ should probably be using a protocol like Simple Certificate
Enrollment Protocol (SCEP) or Enrollment over Secure Transport (EST),
and not rolling their own scheme. Also see discussions like
<https://mailarchive.ietf.org/arch/msg/pkix/X94XpFJA5sKKkLTVkOYXL_dv8t4/>
and <>.

Jeff
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/