Back to all security reports

Ewon Security Vulnerability

Ewon reference: System - Ewon configuration parameters encryption mechanism improvement

 

Affected devices: All

Affected firmware versions: All

Status: Fixed

Severity: Medium (CVSS 3 score of 6.8)

 

Description:

Encryption of device configuration parameters is weak due to an implementation issue in the encryption mechanism function

 

Impact:

Successful exploitation of this vulnerability may allow a remote attacker to get access to the local system and perform potential harmful actions on the device itself, but also on devices connected to the Ewon device.

 

Mitigation Factors:

As a rule, we recommend:    

  • to avoid making Ewons devices being directly reachable from non-trusted user by using a firewall and an access control policy.    
  • use a secure remote access solution like Talk2M (https://www.ewon.biz/cloud-services/talk2m).
  • to change the adm password at first login and use a strong one

 

Solution:

Install the latest firmware version:

  • This has been fixed as from firmware version 13.3s0 for Flexy and Cosy 131 families.
  • This has been fixed as from firmware version 11.3s0 for CD and Cosy 141 families.

Check the firmware section to learn how to update your Ewons.

 

Discovered by: Tijl Deneut - Howest (UGent) & Stu Kennedy - PentestPartners