Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025

Extension of the malicious browser has infected 722 users across Latin America since the beginning of 2025

June 8, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » The Ewon Cozy+ industrial remote access tool is vulnerable to root access attacks
Global Security

The Ewon Cozy+ industrial remote access tool is vulnerable to root access attacks

AdminBy AdminAugust 12, 2024No Comments3 Mins Read
Industrial Remote Access Tool
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


August 12, 2024Ravi LakshmananOperational Technology / Network Security

An industrial remote access tool

Security vulnerabilities have been discovered in the Ewon Cozy+ industrial remote access solution that can be exploited to gain root privileges on devices and orchestrate subsequent attacks.

Elevated access can then be used to decrypt encrypted firmware files and encrypted data such as passwords in configuration files, and even obtain properly signed X.509 VPN certificates for foreign devices to hijack their VPN sessions.

“This allows attackers to hijack VPN sessions, which creates significant security risks for Cozy+ users and the surrounding industrial infrastructure,” SySS GmbH security researcher Moritz Abrell. said in a new analysis.

There were conclusions presented at the DEF CON 32 conference over the weekend.

The architecture of Ewon Cozy+ involves the use of a VPN connection that goes to a provider-managed platform called Talk2m via OpenVPN. Technicians can remotely connect to the industrial gateway using a VPN relay that happens over OpenVPN.

Cyber ​​security

Germany-based pentest said it had discovered an operating system command injection vulnerability and a filter bypass that allowed a reverse shell to be obtained by downloading a specially crafted OpenVPN configuration.

An attacker could subsequently exploit a persistent cross-site scripting (XSS) vulnerability and the fact that the device stores the credentials of the current web session in Base64 encoding in an insecure credential named cookie to gain administrative access and eventually root it.

An industrial remote access tool

“An unauthenticated attacker can gain root access to Cozy+ by combining the vulnerabilities found and, for example, waiting for an admin user to log into the device,” Abrell said.

The attack chain can then be extended to configure security, access firmware encryption keys, and decrypt the firmware update file. Moreover, the hard-encrypted key stored in the password encryption binary can be used to extract secrets.

An industrial remote access tool

“Communication between Cozy+ and the Talk2m API is done over HTTPS and secured by mutual TLS (mTLS) authentication,” Abrell explained. “When a Cozy+ device is assigned to a Talk2m account, the device generates a Certificate Signing Request (CSR) containing its serial number as the Common Name (CN) and sends it to the Talk2m API.”

This certificate, which the device can access through the Talk2m API, is used for OpenVPN authentication. However, SySS discovered that the sole reliance on the device’s serial number could be used by a threat actor to register their own CSR with the target device’s serial number and successfully initiate a VPN session.

Cyber ​​security

“The original VPN session will be overwritten and therefore the original device is no longer accessible,” Abrell said. “When Talk2m users connect to the device using Ecatcher’s VPN client software, they will be redirected to the attacker.”

“This allows attackers to conduct further attacks against the exploited client, such as accessing network services such as RDP or SMB of the victim client. The fact that the tunnel connection itself is not limited facilitates this attack.”

“As the network communication is redirected to the attacker, the original network and systems can be impersonated to intercept the victim’s user input, such as downloaded PLC programs or similar.”

The development comes as Microsoft uncovered several flaws in OpenVPN that can be combined to achieve remote code execution (RCE) and local privilege elevation (LPE).

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025

Extension of the malicious browser has infected 722 users across Latin America since the beginning of 2025

June 8, 2025

New company Atomic MacOS Campation Exploaits Clickfix to focus on Apple users

June 6, 2025

Microsoft helps CBI disassemble the Indian Centers for Japanese Technical Support

June 6, 2025

Expand users’ capabilities and protect against Genai data loss

June 6, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025

Extension of the malicious browser has infected 722 users across Latin America since the beginning of 2025

June 8, 2025

New company Atomic MacOS Campation Exploaits Clickfix to focus on Apple users

June 6, 2025

Microsoft helps CBI disassemble the Indian Centers for Japanese Technical Support

June 6, 2025

Expand users’ capabilities and protect against Genai data loss

June 6, 2025

Why are more security leaders choose AEV

June 6, 2025

New data Wiper Pathwiper Data Wiper violates Ukrainian critical infrastructure in 2025 attack

June 6, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Openai prohibits chatgpt accounts used by Russian, Iranian and Chinese hacking groups

June 9, 2025

Operation malicious network supply software gets to NPM and Pypi ecosystems, focusing on millions worldwide

June 8, 2025

Extension of the malicious browser has infected 722 users across Latin America since the beginning of 2025

June 8, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.