[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] =?utf-8?q?_Senec_Inverters_Home_V1=2C_V2=2C_V3_Home_=26_Hybr?= =?utf-8?q?id_Publicly_Accessible
From: Phos4Me via Fulldisclosure <fulldisclosure () seclists ! org>
Date: 2023-11-10 7:11:03
Message-ID: 9FuFEIC9hb1TKREjijCM9DfAruRrR3HjH1_w00ZVqs50cT01AzmYnsFaN2AZCz9fL9Tanp75WpJLlbSu5H3dPL0lMZlwQG_bQGszwFF3XDM= () proton ! me
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/mixed)]
> > Advisory ID: Ph0s-2023-005
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-923: Improper Restriction of Communication
> > Channel to Intended Endpoints
> >
> > Risk Level:
> > CVSS v3.1 Vector:
> > AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L (7.4 High)
> >
> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:H/RL:T/RC:C
> > Overall CVSS Score: 7.2
> >
> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CCVE-2023-39171
> > Author of Advisory: Ph0s[4], R0ckE7
> >
> > ********************************************************************************
> >
> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.
> >
> > About Senec:
> > We are SENEC
> >
> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don't do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.
> >
> > About SENEC Home:
> >
> > SENEC.Home: The smart electricity storage device for your home
> >
> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such as
> > when your household's energy consumption rises in the evening, or on rainy days
> > when your PV system generates less power.
> >
> > ********************************************************************************
> >
> > Vulnerability Details:
> >
> > The management interface of the SENEC.Inverter is publicly accessible via the
> > Internet. This circumstance is recommended by the manufacturer and customers are
> > advised to open the necessary ports to enable remote maintenance.
> > As a result, anyone who manages to detect and successfully exploit security
> > vulnerabilities in SENEC.Inverter, for instance the authors of this report, can
> > access and compromise all devices available on the internet without
> > restrictions. To achieve this,it is possible to use an IoT search engine such as
> > Shodan to automatically obtain an up-to-date list of IP addresses of all devices
> > in just a few seconds.
> >
> > Besides Shodan, there are other IoT search engines such as Censys or ZoomEye to
> > complement the list even further.
> > Consequently, it is very easy for an attacker to develop an exploit script for
> > the automated compromise of all SENEC.Inverter devices, e.g. to simul-
> > taneously shut down all appliances or to damage them through a targeted
> > overload. For this purpose, only the hard-coded credentials previously
> > identified in findings CVE-2023-39168 and CVE-2023-39169 need to be used in
> > conjunction with SENEC.Inverter's built-in API.
> >
> > ********************************************************************************
> >
> > Proof of Concept (PoC):
> >
> > The attack consists of the following steps:
> >
> > 1. use the shodan dork to obtain management-interfaces.
> > (no longer valid, patched by manufacturer)
> >
> > https://www.shodan.io/search?query=http.html%3A<title>SENEC<%2Ftitle%
> > 3E
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Disclosure Timeline:
> >
> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability
> >
> > ************************************************************************
> >
> > Researcher:
> > Ph0s[4], R0ckE7
> >
> > ************************************************************************
> >
> > Disclaimer:
> >
> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >
> > Copyright:
> >
> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/
["publickey - Phos4Me@proton.me - 0x3F4F673D.asc" (application/pgp-keys)]
["signature.asc" (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic