CVE-2020-16230 in Flexy
Summary
by MITRE
All version of Ewon Flexy and Cosy prior to 14.1 use wildcards such as (*) under which domains can request resources. An attacker with local access and high privileges could inject scripts into the Cross-origin Resource Sharing (CORS) configuration that could abuse this vulnerability, allowing the attacker to retrieve limited confidential information through sniffing.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/19/2020
The vulnerability identified as CVE-2020-16230 affects Ewon Flexy and Cosy devices running versions prior to 14.1, representing a critical security flaw in cross-origin resource sharing configuration. This issue stems from the improper implementation of wildcard characters within domain validation mechanisms, creating an exploitable path for malicious actors to bypass security restrictions. The vulnerability specifically targets the CORS policy implementation where wildcards are used to define allowed origins, which fundamentally undermines the security boundaries designed to protect sensitive resources.
The technical flaw manifests through the use of wildcard characters such as asterisks (*) in the CORS configuration, allowing any domain to request resources from the affected device. This configuration creates an inherent trust model that is overly permissive, enabling attackers to inject malicious scripts into the CORS policy. The vulnerability requires local access and high privileges to exploit, making it particularly dangerous in environments where administrative access is compromised or where privilege escalation attacks are successful. The attack vector leverages the CORS mechanism itself as a delivery method for malicious code execution.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with the capability to retrieve limited confidential information through network sniffing techniques. This represents a significant risk to organizations relying on these industrial devices for critical infrastructure operations, as the compromised devices could serve as entry points for broader network infiltration. The ability to inject scripts into the CORS configuration creates a persistent threat vector that could be exploited to maintain access or escalate privileges within the affected network segments.
Security professionals should implement immediate mitigations including upgrading to Ewon Flexy and Cosy versions 14.1 or later, which address the wildcard configuration issue. Organizations must also review and tighten CORS policies to eliminate wildcard usage and implement strict origin validation mechanisms. The vulnerability aligns with CWE-346, which addresses "Origin Validation Error", and maps to ATT&CK technique T1071.004 for Application Layer Protocol: DNS, as attackers may use DNS-based reconnaissance to identify vulnerable targets. Additional protective measures include network segmentation, implementing strict access controls, and monitoring for anomalous CORS configuration changes. Regular security assessments should verify that CORS policies are properly configured without overly permissive wildcard entries to prevent similar vulnerabilities from being exploited in other systems.