Back to all security reports

Ewon Security Vulnerability

Ewon reference: System - Ewon configuration parameters encryption mechanism improvement

 

Affected devices: All

Affected firmware versions: All

Status:

  • Fixed on Flexy and Cosy 131 device families
  • Fix under development for the CD and Cosy 141 device families

Severity: Medium (CVSS 3 score of 6.8)

 

Description:

Encryption of device configuration parameters is weak due to an implementation issue in the encryption mechanism function

 

Impact:

Successful exploitation of this vulnerability may allow a remote attacker to get access to the local system and perform potential harmful actions on the device itself, but also on devices connected to the Ewon device.

 

Mitigation Factors:

As a rule, we recommend:    

  • to avoid making Ewons devices being directly reachable from non-trusted user by using a firewall and an access control policy.    
  • use a secure remote access solution like Talk2M (https://www.ewon.biz/cloud-services/talk2m).
  • to change the adm password at first login and use a strong one

 

Solution:

Install the last firmware version. This has been fixed as from firmware version 13.3s0 for Flexy and Cosy 131 families.

Check the firmware section to learn how to update your Ewons.

 

Discovered by: Tijl Deneut - Howest (UGent) & Stu Kennedy - PentestPartners