13.8.24 ICS The Hacker News
Security vulnerabilities have been disclosed in the industrial remote access solution Ewon Cosy+ that could be abused to gain root privileges to the devices and stage follow-on attacks.
Industrial Remote Access Tool Ewon
Cosy+ Vulnerable to Root Access Attacks
13.8.24
ICS The Hacker News
Security vulnerabilities have been disclosed in the industrial remote access
solution Ewon Cosy+ that could be abused to gain root privileges to the devices
and stage follow-on attacks.
The elevated access could then be weaponized to decrypt encrypted firmware files and encrypted data such as passwords in configuration files, and even get correctly signed X.509 VPN certificates for foreign devices to take over their VPN sessions.
"This allows attackers hijacking VPN sessions which results in significant security risks against users of the Cosy+ and the adjacent industrial infrastructure," SySS GmbH security researcher Moritz Abrell said in a new analysis.
The findings were presented at the DEF CON 32 conference over the weekend.
The findings were presented at the DEF CON 32 conference over the weekend. Following responsible disclosure, the issues have been addressed in firmware versions 21.2s10 and 22.1s3 as part of an advisory [PDF] issued by Ewon on July 29, 2024 -
CVE-2024-33892 (CVSS score: 7.4) - Information leakage
through cookies
CVE-2024-33893 (CVSS score: 2.1) - XSS when displaying the logs due to improper
input sanitization
CVE-2024-33894 (CVSS score: 1.0) - Execution of several processes with elevated
privileges
CVE-2024-33895 (CVSS score: 4.4) - Usage of a unique key to encrypt the
configuration parameters
CVE-2024-33896 (CVSS score: 3.3) - Code injection due to improper parameter
blacklisting
CVE-2024-33897 (CVSS score: N/A) - A compromised devices could be used to
request a Certificate Signing Request (CSR) from Talk2m for another device,
resulting in an availability issue
Ewon Cosy+'s architecture involves the use of a VPN connection that's routed to
a vendor-managed platform called Talk2m via OpenVPN. Technicians can remotely
connect to the industrial gateway by means of a VPN relay that occurs through
OpenVPN.
The Germany-based pentest company said it was able to uncover an operating system command injection vulnerability and a filter bypass that made it possible to obtain a reverse shell by uploading a specially crafted OpenVPN configuration.
An attacker could have subsequently taken advantage of a persistent cross-site scripting (XSS) vulnerability and the fact that the device stores the Base64-encoded credentials of the current web session in an unprotected cookie-named credentials to gain administrative access and ultimately root it.
"An unauthenticated attacker can gain root access to the Cosy+ by combining the
found vulnerabilities and e.g., waiting for an admin user to log in to the
device," Abrell said.
The attack chain could then be extended further to set up persistence, access firmware-specific encryption keys, and decrypt the firmware update file. What's more, a hard-coded key stored within the binary for password encryption could be leveraged to extract the secrets.
"The communication between the Cosy+ and the Talk2m API is done via HTTPS and
secured via mutual TLS (mTLS) authentication," Abrell explained. "If a Cosy+
device is assigned to a Talk2m account, the device generates a certificate
signing request (CSR) containing its serial number as common name (CN) and sends
it to the Talk2m API."
This certificate, which can be accessed via the Talk2m API by the device, is used for OpenVPN authentication. However, SySS found that the sole reliance on the device serial number could be exploited by a threat actor to enroll their own CSR with a serial number if a target device and successfully initiate a VPN session.
"The original VPN session will be overwritten, and thus the original device is not accessible anymore," Abrell said. "If Talk2m users connect to the device using the VPN client software Ecatcher, they will be forwarded to the attacker."
"This allows attackers to conduct further attacks against the used client, for example accessing network services such as RDP or SMB of the victim client. The fact that the tunnel connection itself is not restricted favors this attack."
"Since the network communication is forwarded to the attacker, the original network and systems could be imitated in order to intercept the victim's user input such as the uploaded PLC programs or similar."
The development comes as Microsoft uncovered multiple flaws in OpenVPN that could be chained to achieve remote code execution (RCE) and local privilege escalation (LPE).
(The story was updated after publication to include additional details about the CVE identifiers and the availability of the patches.)
Critical Flaw in Rockwell Automation Devices Allows Unauthorized Access
5.8.24
ICS The Hacker News
A high-severity security bypass vulnerability has been disclosed in Rockwell
Automation ControlLogix 1756 devices that could be exploited to execute common
industrial protocol (CIP) programming and configuration commands.
The flaw, which is assigned the CVE identifier CVE-2024-6242, carries a CVSS v3.1 score of 8.4.
"A vulnerability exists in the affected products that allows a threat actor to bypass the Trusted Slot feature in a ControlLogix controller," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory.
"If exploited on any affected module in a 1756 chassis, a threat actor could potentially execute CIP commands that modify user projects and/or device configuration on a Logix controller in the chassis."
Operational technology security company Claroty, which discovered and reported the vulnerability, said it developed a technique that made it possible to bypass the trusted slot feature and send malicious commands to the programming logic controller (PLC) CPU.
Cybersecurity
The trusted slot feature "enforces security policies and allows the controller
to deny communication via untrusted paths on the local chassis," security
researcher Sharon Brizinov said.
"The vulnerability we found, before it was fixed, allowed an attacker to jump between local backplane slots within a 1756 chassis using CIP routing, traversing the security boundary meant to protect the CPU from untrusted cards."
While a successful exploit requires network access to the device, an attacker could take advantage of the flaw to send elevated commands, including downloading arbitrary logic to the PLC CPU, even if the attacker is located behind an untrusted network card.
Following responsible disclosure, the shortcoming has been addressed in the following versions -
ControlLogix 5580 (1756-L8z) - Update to versions V32.016, V33.015, V34.014,
V35.011, and later.
GuardLogix 5580 (1756-L8zS) - Update to versions V32.016, V33.015, V34.014,
V35.011 and later.
1756-EN4TR - Update to versions V5.001 and later.
1756-EN2T Series D, 1756-EN2F Series C, 1756-EN2TR Series C, 1756-EN3TR Series
B, and 1756-EN2TP Series A - Update to version V12.001 and later
"This vulnerability had the potential to expose critical control systems to
unauthorized access over the CIP protocol that originated from untrusted chassis
slots," Brizinov said.
CISA Warns of Exploitable
Vulnerabilities in Popular BIND 9 DNS Software
26.7.24
ICS The Hacker News
The Internet Systems Consortium (ISC) has released patches to address multiple
security vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain
Name System (DNS) software suite that could be exploited to trigger a denial-of-service
(DoS) condition.
"A cyber threat actor could exploit one of these vulnerabilities to cause a denial-of-service condition," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory.
The list of four vulnerabilities is listed below -
CVE-2024-4076 (CVSS score: 7.5) - Due to a logic error,
lookups that triggered serving stale data and required lookups in local
authoritative zone data could have resulted in an assertion failure
CVE-2024-1975 (CVSS score: 7.5) - Validating DNS messages signed using the SIG(0)
protocol could cause excessive CPU load, leading to a denial-of-service
condition.
CVE-2024-1737 (CVSS score: 7.5) - It is possible to craft excessively large
numbers of resource record types for a given owner name, which has the effect of
slowing down database processing
CVE-2024-0760 (CVSS score: 7.5) - A malicious DNS client that sent many queries
over TCP but never read the responses could cause a server to respond slowly or
not at all for other clients
Successful exploitation of the aforementioned bugs could cause a named instance
to terminate unexpectedly, deplete available CPU resources, slow down query
processing by a factor of 100, and render the server unresponsive.
The flaws have been addressed in BIND 9 versions 9.18.28, 9.20.0, and 9.18.28-S1 released earlier this month. There is no evidence that any of the shortcomings have been exploited in the wild.
The disclosure comes months after the ISC addressed another flaw in BIND 9 called KeyTrap (CVE-2023-50387, CVSS score: 7.5) that could be abused to exhaust CPU resources and stall DNS resolvers, resulting in a denial-of-service (DoS).
New ICS Malware 'FrostyGoop'
Targeting Critical Infrastructure
24.7.24
ICS The Hacker News
Cybersecurity researchers have discovered what they say is the ninth Industrial
Control Systems (ICS)-focused malware that has been used in a disruptive cyber
attack targeting an energy company in the Ukrainian city of Lviv earlier this
January.
Industrial cybersecurity firm Dragos has dubbed the malware FrostyGoop, describing it as the first malware strain to directly use Modbus TCP communications to sabotage operational technology (OT) networks. It was discovered by the company in April 2024.
"FrostyGoop is an ICS-specific malware written in Golang that can interact directly with Industrial Control Systems (ICS) using Modbus TCP over port 502," researchers Kyle O'Meara, Magpie (Mark) Graham, and Carolyn Ahlers said in a technical report shared with The Hacker News.
It's believed that the malware, mainly designed to target Windows systems, has been used to target ENCO controllers with TCP port 502 exposed to the internet. It has not been tied to any previously identified threat actor or activity cluster.
FrostyGoop comes with capabilities to read and write to an ICS device holding registers containing inputs, outputs, and configuration data. It also accepts optional command line execution arguments, uses JSON-formatted configuration files to specify target IP addresses and Modbus commands, and logs output to a console and/or a JSON file.
The incident targeting the municipal district energy company is said to have resulted in a loss of heating services to more than 600 apartment buildings for almost 48 hours.
"The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions," the researchers said in a conference call, noting initial access was likely gained by exploiting a vulnerability in Mikrotik routers in April 2023.
"The adversaries sent Modbus commands to ENCO controllers, causing inaccurate measurements and system malfunctions. Remediation took almost two days."
While FrostyGoop extensively employs the Modbus protocol for client/server communications, it's far from the only one. In 2022, Dragos and Mandiant detailed another ICS malware named PIPEDREAM (aka INCONTROLLER) that leveraged various industrial network protocols such as OPC UA, Modbus, and CODESYS for interaction.
It's also the ninth ICS-focused malware after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY.
The malware's ability to read or modify data on ICS devices using Modbus has severe consequences for industrial operations and public safety, Dragos said, adding more than 46,000 internet-exposed ICS appliances communicate over the widely-used protocol.
"The specific targeting of ICS using Modbus TCP over port 502 and the potential to interact directly with various ICS devices pose a serious threat to critical infrastructure across multiple sectors," the researchers said.
"Organizations must prioritize the implementation of comprehensive cybersecurity frameworks to safeguard critical infrastructure from similar threats in the future."
Microsoft Uncovers Critical Flaws in Rockwell Automation PanelView Plus
5.7.24
ICS
The Hacker News
Microsoft has revealed two security flaws in Rockwell Automation PanelView Plus
that could be weaponized by remote, unauthenticated attackers to execute
arbitrary code and trigger a denial-of-service (DoS) condition.
"The [remote code execution] vulnerability in PanelView Plus involves two custom classes that can be abused to upload and load a malicious DLL into the device," security researcher Yuval Gordon said.
"The DoS vulnerability takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, thus leading to a DoS."
The list of shortcomings is as follows -
CVE-2023-2071 (CVSS score: 9.8) - An improper input
validation vulnerability that allows unauthenticated attackers to achieve remote
code executed via crafted malicious packets.
CVE-2023-29464 (CVSS score: 8.2) - An improper input validation vulnerability
that allows an unauthenticated threat actor to read data from memory via crafted
malicious packets and result in a DoS by sending a packet larger than the buffer
size
Successful exploitation of the twin flaws permits an adversary to execute code
remotely or lead to information disclosure or a DoS condition.
While CVE-2023-2071 impacts FactoryTalk View Machine Edition (versions 13.0,
12.0, and prior), CVE-2023-29464 affects FactoryTalk Linx (versions 6.30, 6.20,
and prior).
It's worth noting that advisories for the flaws were released by Rockwell Automation on September 12, 2023, and October 12, 2023, respectively. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released its own alerts on September 21 and October 17.
The disclosure comes as unknown threat actors are believed to be exploiting a recently disclosed critical security flaw in HTTP File Server (CVE-2024-23692, CVSS score: 9.8) to deliver cryptocurrency miners and trojans such as Xeno RAT, Gh0st RAT, PlugX, and GoThief, the last of which uses Amazon Web Services (AWS) to steal information from the infected host.
The vulnerability, described as a case of template injection, allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request.