Ewon Security Vulnerability
Ewon reference: System - Ewon configuration parameters encryption mechanism improvement
Affected devices: All
Affected firmware versions: All
Severity: Medium (CVSS 3 score of 6.8)
Encryption of device configuration parameters is weak due to an implementation issue in the encryption mechanism function
Successful exploitation of this vulnerability may allow a remote attacker to get access to the local system and perform potential harmful actions on the device itself, but also on devices connected to the Ewon device.
As a rule, we recommend:
- to avoid making Ewons devices being directly reachable from non-trusted user by using a firewall and an access control policy.
- use a secure remote access solution like Talk2M (https://www.ewon.biz/cloud-services/talk2m).
- to change the adm password at first login and use a strong one
Install the latest firmware version:
- This has been fixed as from firmware version 13.3s0 for Flexy and Cosy 131 families.
- This has been fixed as from firmware version 11.3s0 for CD and Cosy 141 families.
Check the firmware section to learn how to update your Ewons.
Discovered by: Tijl Deneut - Howest (UGent) & Stu Kennedy - PentestPartners