In the world of cybersecurity, industrial VPN gateways such as the Cosy+ are essential for providing secure remote access to critical operational technology (OT) systems. However, recent findings have revealed that these devices are increasingly becoming prime targets for malicious actors due to their significance and architectural vulnerabilities within industrial settings.
A group of researchers from German cybersecurity firm SySS GmbH delved into the security of the Ewon Cosy+, uncovering multiple vulnerabilities that could potentially grant attackers extensive control over the device and the connected industrial infrastructure. Their discoveries were presented at the DEF CON 32 conference, shedding light on the pressing need for enhanced security measures in industrial VPN gateways.
The researchers encountered initial challenges in accessing the encrypted firmware and hardware security measures of the Cosy+. However, their perseverance led them to discover a critical OS command injection vulnerability related to the handling of user-provided OpenVPN configurations. By manipulating the OpenVPN configuration, the researchers managed to bypass the device’s filter mechanisms and execute arbitrary commands, ultimately gaining root-level access and establishing a persistent SSH service for remote access.
Despite being marketed as a secure hardware security module (HSM) safeguarding sensitive data and cryptographic functions, the Cosy+ was found to have flaws in the communication between its main processor and HSM. The researchers successfully decoded the encryption process, accessing sensitive data stored within the HSM and uncovering vulnerabilities in the encryption of firmware updates and configuration files. Through a combination of OS command injection and Cross-Site Scripting (XSS) vulnerabilities, the researchers devised an exploit chain that could allow unauthorized individuals to compromise the device and potentially hijack remote access sessions, posing significant security risks to users and industrial operations.
Upon responsibly disclosing their findings to HMS Industrial Networks, the vendor of Ewon Cosy+, the researchers collaborated with the company to address the identified issues in subsequent firmware updates. However, the widespread adoption of Cosy+ in critical industrial environments highlights the ongoing challenge of ensuring robust security assessments and prioritizing the security of similar industrial VPN gateways.
As threats to industrial cybersecurity continue to evolve, it is imperative for organizations to implement comprehensive security measures, conduct regular assessments, and collaborate with vendors to address vulnerabilities and enhance the resilience of critical infrastructure against potential cyber attacks. The revelations regarding the vulnerabilities in the Cosy+ underscore the critical importance of securing industrial VPN gateways to safeguard OT systems and maintain operational continuity in industrial environments.