Security researchers have recently uncovered severe vulnerabilities in the Ewon Cosy+, an industrial remote access gateway tool developed by HMS Networks. These critical flaws were disclosed during DEF CON 32, highlighting significant risks to industrial systems that rely on this tool for secure remote access. The vulnerabilities in question include OS command injection, insecure permissions, and certificate request issues, which collectively enable attackers to gain root access to the device, potentially leading to widespread security breaches in industrial environments.
The primary vulnerability identified is OS command injection (CVE-2024-33896), which allows attackers to bypass security filters in the device’s OpenVPN configuration, thereby executing arbitrary commands with root privileges. Researchers from SySS GmbH demonstrated this exploit by crafting a malicious OpenVPN configuration file that included specific parameters to run shell commands on the device. This exploit chain revealed how a simple configuration file upload feature, combined with inadequate input validation, can be manipulated to gain complete control over the device.
Additional vulnerabilities uncovered include insecure permissions (CVE-2024-33894) affecting certain firmware versions, which allow unauthorized access to device functionalities, and a certificate request vulnerability (CVE-2024-33897) that could facilitate VPN session hijacking by issuing certificates for unauthorized devices. These weaknesses enabled researchers to decrypt encrypted firmware files, access sensitive data, and obtain valid X.509 VPN certificates for malicious use. Such compromises could lead to significant security risks, including unauthorized access to critical industrial systems and data.
In response to these vulnerabilities, HMS Networks has released firmware updates to address the identified issues. Users are advised to upgrade to the latest firmware versions—21.2s10 or later for firmware version 21.x, and 22.1s3 or later for version 22.x. Additionally, it is recommended that organizations employing Ewon Cosy+ or similar remote access tools implement strong network segmentation, enforce access controls, regularly audit remote access activities, and consider adding extra security layers such as multi-factor authentication. This incident underscores the importance of rigorous security evaluations for industrial remote access tools to protect critical infrastructure and sensitive data from potential exploitation.
Reference:
