Senec Inverters Home V1, V2, V3 Home & Hybrid Cleartext Transmission of Authentication Credentials - CVE-2023-39172

[Phos4Me via Fulldisclosure <fulldisclosure () seclists org>]

> > Advisory ID: Ph0s-2023-004
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-319: Cleartext Transmission of Sensitive Information

> > Risk Level:
> > CVSS v3.1 Vector:
> > AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (8.1 High)

> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L/E:F/RL:U/RC:C
> > Overall CVSS Score: 7.4

> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CVE-2023-39172
> > Author of Advisory: Ph0s[4], R0ckE7

> > ********************************************************************************

> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.

> > About Senec:
> > We are SENEC

> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don’t do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.

> > About SENEC Home:

> > SENEC.Home: The smart electricity storage device for your home

> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such as
> > when your household’s energy consumption rises in the evening, or on rainy days
> > when your PV system generates less power.

> > ********************************************************************************

> > Vulnerability Details:

> > The management interface of the SENEC.Inverter transmits security-critical data
> > (authentication credentials) in cleartext in a communication channel that can be
> > sniffed by unauthorized actors. For example, in networking, packets can traverse
> > many intermediary nodes from the source to the destination, whether across the
> > internet or an internal network. Some actors might have privileged access to a
> > network interface or any link along the channel, such as a router. As a result,
> > network traffic could be sniffed by adversaries, spilling security-critical data.
> > Incidentally, this refers not only to remote maintenance of the photovoltaic
> > system, but also to on-site configuration by a technician at the customer’s
> > premises. Due to the lack of transport encryption, a technically skilled
> > customer is therefore also able to gather authentication credentials by
> > intercepting network traffic, e.g. at the central network gateway.

> > ********************************************************************************

> > Proof of Concept (PoC):

> > n/a, simply sniff the network

> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)

> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Disclosure Timeline:

> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability

> > ************************************************************************

> > Researcher:
> > Ph0s[4], R0ckE7

> > ************************************************************************

> > Disclaimer:

> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.

> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Copyright:

> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/

Attachment: publickey - Phos4Me@proton.me - 0x3F4F673D.asc
Description:

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/