This article describes the encryption change since firmwares 22.1s3 and 14.9s3 and its consequences.
It also provides recommendations if you're using backups/config files to configure your devices.
APPLICABLE PRODUCTS
Cosy+, Flexy, Cosy131
ISSUE
As seen in CVE-2024-33895, the firmware key used to encrypt configuration parameters for devices running a firmware below 22.1s3 and 14.9s3 could be read.
This symmetric key is used to encrypt/decrypt passwords of backup/config files (adm, Wifi PSK, FTP Server, ...).
It is common to every Ewons devices (Cosy+/Flexy/Cosy131).
This issue has been fixed in firmwares 22.1s3 and 14.9s3.
COUNTERMEASURES
We changed the way the passwords are encrypted (#_5 to #_6) since firmwares 22.1s3 and 14.9s3 by creating a unique key per device.
For devices running an older firmware, passwords are re-encrypted on the fly when upgrading.
Passwords are also re-encrypted if you restore a backup/config file from a device using an older firmware (old encryption #_5).
CONSEQUENCES
- Passwords from a Backup/config file generated from an Ewon running fwr >= 14.9s3/22.1s3 cannot be restored in another Ewon.
- Passwords from a Backup/config file generated from an Ewon with a new firmware (from 22.1s3 or 14.9s3) cannot be restored in an Ewon running an old firmware. (New #_6 encrypted value will be considered as the clear password).
RECOMMENDATIONS
- Do not store your backup/config file or Ecatcher Easy Setup files in an unsafe place.
- If you need to restore the same backup/config file in multiple Ewons:
- Remove the passwords from the backup/config file and set the password from the web interface of the device
- Use backup/config file generated with the old encryption OR with plain passwords
(To edit a .tar backup file, open the backup using 7Zip and edit the config.txt/comcfg.txt files from there. After saving the txt files from your text editor, 7zip will prompt you to save the update in the tar file).