Affected devices: All
Affected firmware versions: All
A non-authenticated user could get access in read only to some eWON device information.
On March 1st, 2016, a potential vulnerability (CVE-2016-0800) nicknamed DROWN was disclosed in OpenSSL regarding the support for SSLv2. This vulnerability mostly affects secure web sites (HTTPS).
Are the eWON products and the Talk2M platform affected by DROWN?
eWON SECURITY ENHANCEMENT Ref: #7529-01
eWON Reference: eWON Login Session Improvement
Affected devices: All eWON devices
Affected firmware versions: All firmware versions inferior to 10.1s0
The log off button displays a message recommending the user to close the browser to completely invalidate session. The session remains indeed active until the browser is closed.
On Wed Oct 15, a potential vulnerability (CVE-2014-3566) nicknamed POODLE was disclosed in the SSLv3 protocol, a part of the SSL security protocol responsible for securing many types of Internet connections, including secure web sites (HTTPS).
Are the eWON products and the Talk2M platform affected by POODLE?
On Thu Sep 25, major vulnerability (CVE-2014-7169) nicknamed ShellShock was disclosed in Bash, a standard module of Linux systems, affecting most Linux servers on the planet, such as web servers.
The Talk2M servers are not affected by this vulnerability but since security is our primary concern, we patched all our servers only a few hours after the vulnerability was disclosed, that is in Day 0, thereby ensuring that the Talk2M infrastructure remains safe.