CVE-2017-9851
[Suggested description]
An issue was discovered in SMA Solar Technology products. By sending
nonsense data or setting up a telnet session to the database port of
the Sunny Explorer, the application can be crashed.
[Additional Information]
One of the CVE’s that could potentially be used in the horus scenario.
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
[VulnerabilityType Other]
Denial of Service
[Vendor of Product]
SMA Solar Technology
[Affected Product Code Base]
Local running Sunny Explorer program – all versions of this program
[Affected Component]
Database port of the Sunny Explorer program.
[Attack Type]
Local
[Impact Denial of Service]
true
[Attack Vectors]
to exploit the vulnerability an attacker must have local access to the
device running the Sunny Explorer program. An attacker simply sets up
a local telnet session to the database port to crash the program.
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services
CVE-2017-9852
[Suggested description]
An issue was discovered in SMA Solar Technology products.
Default passwords exist which are rarely changed. User passwords will
almost always be 0000. Installer passwords are expected to be default
or similar across installations installed by the same company. Hidden
user accounts have (at least in some cases, though more research is
required to test this for all hidden user accounts) a fixed password
for all SMA devices. This allows passwords to be easily guessed or
predicted, compromising the affected device and its functions.
Default passwords for user and installer are reused across inverters.
Installer passwords are sometimes changed, but are expected (based on
field tests) to be the same across installations installed by the
installer company. This enables an attacker to simply guess passwords
that are used a lot. It also ensures that if one system is
compromised, multiple systems are compromised.
Default passwords for user and installer are reused across inverters.
Installers passwords are sometimes changed, but are expected to be the
same across installations installed by the installer company. Every
Grid Guard code however, can be used on every SMA inverter. There are
also hidden user accounts of which the password can never be changed
by the user. An attacker with access to such a password, can use this
password on any SMA inverter with success. Other vulnerabilities exist
that allow an attacker to get the passwords of these hidden user
accounts. This ensures that if one system can be compromised, all
systems can be compromised.
[Additional Information]
One of the CVE’s that could potentially be used in the horus scenario.
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
[Vulnerability Type]
Incorrect Access Control
[Vendor of Product]
SMA Solar technology
[Affected Product Code Base]
All SMA inverters – all
[Affected Component]
All SMA solar inverters
[Attack Type]
Remote
[Impact Denial of Service]
true
[Impact Escalation of Privileges]
true
[Impact Information Disclosure]
true
[Attack Vectors]
to exploit the vulnerability an attacker must have network access to
the SMA inverter. If the inverter is attached directly or via NAT to
the internet an attack over the internet can also occur. An attacker
simply needs to send a crafted packet on the correct port.
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services
CVE-2017-9853
[Suggested description]
An issue was discovered in SMA Solar Technology products.
All SMA inverters have a very weak password policy regarding the user
and installer password. Many characters cannot be used; no complexity
requirements or length requirements are set. Specifically, complex
passwords are even impossible due to a maximum of 12 characters and a
limited set of characters. Other “hidden” user accounts have a
password which is impossible to change for regular users.
[Additional Information]
One of the CVE’s that could potentially be used in the horus scenario.
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N
[Vulnerability Type]
Incorrect Access Control
[Vendor of Product]
SMA Solar technology
[Affected Product Code Base]
All SMA inverters (at least up to 2017) – all
[Affected Component]
All SMA solar inverters
[Attack Type]
Context-dependent
[Attack Type Other]
Policy failure
[CVE Impact Other]
very weak passwords can be set. An attacker can easily attack or crack these passwords, compromising the inverter.
[Attack Vectors]
to exploit the vulnerability an attacker must have network access to
the SMA inverter. If the inverter is attached directly or via NAT to
the internet an attack over the internet can also occur. An attacker
simply needs to send a crafted packet on the correct port.
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services
CVE-2017-9854
[Suggested description]
An issue was discovered in SMA Solar Technology products.
By sniffing for specific packets on the localhost, plaintext passwords
can be obtained as they are typed into the Sunny Explorer by the user.
These passwords can then be used to compromise the overall device.
[Additional Information]
One of the CVE’s that could potentially be used in the horus scenario.
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
[Vulnerability Type]
Incorrect Access Control
[Vendor of Product]
SMA Solar Technology
[Affected Product Code Base]
All devices running the Sunny Explorer application – all versions
[Affected Component]
Sunny Explorer authentication process
[Attack Type]
Local
[Impact Escalation of Privileges]
true
[Impact Information Disclosure]
true
[Attack Vectors]
By sniffing for specific packets on the local loopback interface an attacker may find sensitive information.
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services
CVE-2017-9855
[Suggested description]
An issue was discovered in SMA Solar Technology products.
A secondary authentication is available for Installers called the grid
guard system. This system uses predictable codes, and a single Grid guard code can be used on any SMA inverter. Any such code, when combined with the installer account, allows changing very sensitive parameters.
[Additional Information]
One of the CVE’s that could potentially be used in the horus scenario.
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
[Vulnerability Type]
Incorrect Access Control
[Vendor of Product]
SMA Solar Technology
[Affected Product Code Base]
All SMA inverters – All
[Affected Component]
All SMA inverters
[Attack Type]
Remote
[Impact Denial of Service]
true
[Impact Escalation of Privileges]
true
[Impact Information Disclosure]
true
[Attack Vectors]
to exploit the vulnerability an attacker must have network access to
the SMA inverter. If the inverter is attached directly or via NAT to
the internet an attack over the internet can also occur. An attacker
simply needs to send a crafted packet on the correct port.
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services
CVE-2017-9856
[Suggested description]
An issue was discovered in SMA Solar Technology products.
Sniffed passwords from SMAdata2+ communication can be decrypted very
easily. The passwords are encrypted using a very simple encryption algorithm. This enables an attacker to find the plaintext passwords and authenticate to the device.
[Additional Information]
One of the CVE’s that could potentially be used in the horus scenario.
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
[VulnerabilityType Other]
Weak encryption used on passwords
[Vendor of Product]
SMA Solar Technology
[Affected Product Code Base]
All SMA inverters – all
[Affected Component]
encrypted passwords transferred over SMAdata2+ on all SMA inverters.
[Attack Type]
Remote
[Impact Escalation of Privileges]
true
[Impact Information Disclosure]
true
[Attack Vectors]
The passwords sniffed from the SMAdata2+ are encrypted/obfuscated.
these passwords can however be decrypted very easily as a very simple and reversible encryption algorithm is used.
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services
CVE-2017-9857
[Suggested description]
An issue was discovered in SMA Solar Technology products.
The SMAdata2+ communication protocol is vulnerable to man in the
middle, packet injection, and replay attacks. Any setting change,
authentication packet, scouting packet etc. can be replayed, injected,
or used for a man in the middle session. All functionalities available
in Sunny Explorer can effectively be done from anywhere within the
network as long as an attacker gets the packet setup correctly. This
includes the authentication process for all (including hidden) access
levels and the changing of settings in accordance with the gained
access rights.
The SMAdata2+ communication channel is unencrypted. An attacker
capable of understanding the protocol can eavesdrop on these
communications. Sensitive data should not be transmitted using this
protocol. Any sensitive data transmitted over this channel can be
retrieved by a malicious hacker by packet sniffing. For example,
passwords can be extracted from the network communications this way.
These passwords can then be used to compromise the overall device.
[Additional Information]
This CVE can be used as part of the horus scenario.
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
[VulnerabilityType Other]
Several network communication flaws
[Vendor of Product]
SMA Solar Technology
[Affected Product Code Base]
All SMA inverters – all
[Affected Component]
SMAdata2+ network communications.
[Attack Type]
Remote
[Impact Denial of Service]
true
[Impact Escalation of Privileges]
true
[Impact Information Disclosure]
true
[CVE Impact Other]
code execution with regards to normal device functionalities, you cannot for example open a shell, but you can make normal system calls
[Attack Vectors]
Any attacker with access to the local network can send packets, or
intercept and alter packets going to the device. It is for example
possible to perform replay attacks, packet injection attacks, or man
in the middle attacks.
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services
CVE-2017-9858.
[Suggested description]
An issue was discovered in SMA Solar Technology products.
By sending crafted packets to the SMA inverter and observing
the response, active and inactive user accounts can be determined.
Based on the responses, several hidden accounts exist. This aids in
further attacks (such as a brute force attack) as one now knows
exactly which users exist and which do not.
[Additional Information]
This CVE can be used as part of the horus scenario.
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
[VulnerabilityType Other]
User enumeration possible
[Vendor of Product]
SMA Solar technology
[Affected Product Code Base]
All SMA inverters (at least up to 2017) – all
[Affected Component]
All SMA inverters
[Attack Type]
Remote
[Impact Information Disclosure]
true
[CVE Impact Other]
It is possible to discover hidden accounts that you would be otherwise unable to use this way.
[Attack Vectors]
An attacker will need to be able to send a packet to the SMA inverter.
If the SMA inverter is connected to the internet by NAT or directly
this can also be done from the internet. by sending crafted packets and observing the response it is possible to discover user accounts.
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services
CVE-2017-9859
[Suggested description]
An issue was discovered in SMA Solar Technology products.
The inverters make use of a weak hashing algorithm to encrypt the password for REGISTER requests. This hashing algorithm can be cracked relatively
easily. An attacker will likely be able to crack the password using
offline crackers. This cracked password can then be used to register
at the SMA servers.
[Additional Information]
This CVE can be used as part of the horus scenario.
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N
[VulnerabilityType Other]
Weak hashing algorithm used for SIP register password
[Vendor of Product]
SMA Solar Technology
[Affected Product Code Base]
All SMA inverters – All
[Affected Component]
SMA webconnect REGISTER functionality.
[Attack Type]
Remote
[Impact Information Disclosure]
true
[CVE Impact Other]
Plaintext register password can be found, you can use this to register to the SMA server. Other tests were considered out of scope during testing.
[Attack Vectors]
Sniff the REGISTER request (or several of them) observe that it is
hashed using a weak hashing algorithm. Use a tool of choice to crack
the weak hashed password offline.
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services
CVE-2017-9860
[Suggested description]
An issue was discovered in SMA Solar Technology products.
An attacker can use Sunny Explorer or the SMAdata2+ network protocol
to update the device firmware without ever having to authenticate. If
an attacker is able to create a custom firmware version which is
accepted by the inverter, the inverter is compromised completely. This
allows the attacker to do nearly anything: for example, giving access
to the local OS, creating a botnet, using the SMA inverters as a
stepping stone into companies etc. The device can be completely
compromised this way.
[Additional Information]
This CVE can be used as part of the horus scenario.
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
[Vulnerability Type]
Incorrect Access Control
[Vendor of Product]
SMA Solar Technology
[Affected Product Code Base]
All SMA inverters – all
[Affected Component]
All Sunny Explorer inverters
[Attack Type]
Remote
[CVE Impact Other]
Flashing firmware without authentication
[Attack Vectors]
An attacker may use the Sunny Explorer GUI or the SMAdata2+ network
protocol to update the device firmware without ever having to
authenticate. If an attacker is able to create a custom firmware
version which is accepted by the inverter, the inverter is compromised
completely.
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services
CVE-2017-9861
[Suggested description]
An issue was discovered in SMA Solar Technology products.
The used SIP implementation is vulnerable to replay attacks, packet
injection attacks and man in the middle attacks. An attacker is able
to successfully use SIP to communicate with the device from anywhere
within the LAN. An attacker may use this to crash the device, stop it
from communicating with the SMA servers, exploit known SIP
vulnerabilities, or find sensitive information from the SIP
communications.
The SIP communication channel is unencrypted. An attacker capable of
understanding the protocol can eavesdrop on these communications.
Sensitive data should not be transmitted using this protocol. All
communications should be considered readable for attackers. Sensitive
data transmitted over this channel can be retrieved by a malicious
hacker. For example, passwords can be extracted from the network
communications this way.
[Additional Information]
This CVE can be used as part of the horus scenario.
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:H
[VulnerabilityType Other]
Several flaws in network communications
[Vendor of Product]
SMA Solar Technology
[Affected Product Code Base]
All SMA inverters – all
[Affected Component]
SIP communications of all SMA inverters. (webconnect functionality)
[Attack Type]
Remote
[Impact Denial of Service]
true
[Impact Information Disclosure]
true
[CVE Impact Other]
Known SIP vulnerabilities can be attempted.
[Attack Vectors]
The SIP communications of these devices are vulnerable to replay
attacks, packet injection attacks and man in the middle attacks. An
attacker simply needs to send correct packets to the device. if the
device is directly attached to the internet or uses NAT this is
possible over the internet.
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services
CVE-2017-9862
[Suggested description]
An issue was discovered in SMA Solar Technology products.
When signed in to the Sunny Explorer with a wrong password, it is
possible to create a debug report, disclosing information regarding
the application and allowing the attacker to create and save a .txt
file with contents to his liking. An attacker may use this for
information disclosure, or to write a file to normally unavailable
locations on the local system where the Sunny Explorer is allowed.
[Additional Information]
This CVE can be used as part of the horus scenario.
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
[Vulnerability Type]
Incorrect Access Control
[Vendor of Product]
SMA Solar Technology
[Affected Product Code Base]
Sunny Explorer application – all
[Affected Component]
Sunny Explorer application
[Attack Type]
Local
[Impact Information Disclosure]
true
[CVE Impact Other]
Writing a .txt file somewhere on the local system with rights of the application.
[Attack Vectors]
Local access is required to exploit this vulnerability as you will use the GUI of Sunny Explorer, and the debug report is created on the local system.
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services
CVE-2017-9863
[Suggested description]
An issue was discovered in SMA Solar Technology products.
If a user simultaneously has Sunny Explorer running and visits a
malicious host, cross-site request forgery can be used to change
settings in the inverters. For example, issuing a post request to
change the user password, etc. All Sunny Explorer settings available to
the authenticated user are also available to the attacker. (In some
cases, this also includes changing settings that the user has no
access to.) This may result in complete compromise of the device.
[Additional Information]
This CVE can be used as part of the horus scenario.
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
[Vulnerability Type]
Cross Site Request Forgery (CSRF)
[Vendor of Product]
SMA Solar Technology
[Affected Product Code Base]
Sunny Explorer – all
SMA inverter that is in contact with the Sunny Explorer application – all
[Affected Component]
Sunny Explorer interface contains the vulnerability, the Inverters this application is in contact with are affected by exploiting the vulnerability.
[Attack Type]
Remote
[Impact Denial of Service]
true
[Impact Escalation of Privileges]
true
[CVE Impact Other]
Code execution in the sense that you can call normal system functions but not start shells for example.
[Attack Vectors]
If a user simultaneously has Sunny Explorer running and visits a
malicious host cross-site request forgery can be used to change
settings in the inverters. For example, issuing a post request to
change the user password etc.
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services
CVE-2017-9864
[Suggested description]
An issue was discovered in SMA Solar Technology products.
An attacker can change the plant time even when he is not
authenticated in any way. This changes the system time, possibly
affecting lockout policies, random generators based on time stamps, and
makes timestamp for data analysis unreliable.
[Additional Information]
This CVE can be used as part of the horus scenario.
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
[Vulnerability Type]
Incorrect Access Control
[Vendor of Product]
SMA Solar Technology
[Affected Product Code Base]
All SMA inverters – All
[Affected Component]
Sunny Explorer application
[Attack Type]
Remote
[CVE Impact Other]
Change System time without authentication (makes data coming in from the device to registration programs unreliable)
[Attack Vectors]
To exploit the vulnerability simply start the Sunny Explorer and
attempt to authenticate with a false password. the application will
still start but state that you have no access rights to the devices.
You can however select the change plant time functionality. This
changes the system time of the inverters, possibly affecting lockout
policies, random generators based on time stamps and makes timestamp
for data analysis unreliable. (for example the graphs generated based
on PV power submitted per hour can be messed with this way.)
[Reference]
www.horusscenario.com
www.sma.de
https://itsec.nl
[Has vendor confirmed or acknowledged the vulnerability?]
true
[Discoverer]
Willem Westerhof (linkedin.com/in/willem-westerhof-82252480) during his Internship @ ITsec Security Services