-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-016 Product: Ewon Cosy+ Manufacturer: HMS Industrial Networks AB Affected Version(s): Firmware Versions: < 21.2s10 and < 22.1s3 Tested Version(s): Firmware Version: 21.2s7 Vulnerability Type: Improper Neutralization of Input During Web Page Generation (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-03-27 Solution Date: 2024-07-18 Public Disclosure: 2024-08-11 CVE Reference: CVE-2024-33893 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The manufacturer describes the product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure VPN connection between the machine (PLC, HMI, or other devices) and the remote engineer. The connection happens through Talk2m, a highly secured industrial cloud service. The Ewon Cosy+ makes industrial remote access easy and secure like never before!" Due to improper neutralization of input, an unauthenticated attacker is able to inject HTML and JavaScript code into the administrative web interface of the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: If login against the FTP service of the Cosy+ fails, the submitted username is saved in a log. This log is included in the Cosy+ web interface without neutralizing the content. As a result, an unauthenticated attacker is able to inject HTML/JavaScript code via the username of an FTP login attempt. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Login attempt against Cosy+ FTP service: #> ftp "