SEC Consult Vulnerability Lab Security Advisory < 20191203-0 >
===
title: Multiple vulnerabilites
product: Fronius Solar Inverter Series
vulnerable version: SW Version <3.14.1 (HM 1.12.1)
fixed version: >=3.14.1 (vuln 2: 3.12.5 - HM 1.10.5), see solution
section below
CVE number: CVE-2019-19228, CVE-2019-19229
impact: High
homepage: https://www.fronius.com
found: 2018-10-31
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
===
Vendor description:
---
"A passion for new technologies, intensive research and revolutionary solutions
have been shaping the Fronius brand since 1945. As the technology leader, we
find, develop and implement innovative methods to monitor and control energy
for welding technology, photovoltaics and battery charging. We forge new paths,
try something difficult and succeed where others have failed in achieving what
seems to be impossible. [...]"
Source: http://www.fronius.com/en/about-fronius/company-values
Business recommendation:
The vendor automatically performed a fleet update of the solar inverters in the
field
in order to patch them. Nevertheless, as not all devices could be reached
through such
an update, all remaining users are advised to install the patches provided
by the vendor immediately.
Vulnerability overview/description:
---
1) Unencrypted Communication
The whole communication is handled over HTTP. There is no possibility to
activate an HTTPS web service. This vulnerability cannot be fixed by the vendor
in the current solar inverter generation, see the workaround section below.
2) Authenticated Path Traversal (CVE-2019-19229)
A path traversal attack for authenticated users is possible. This allows getting
access to the operating system of the device and access information like
network configurations and connections to other hosts or potentially other
sensitive information.
This vulnerability has been fixed in March 2019 in version 3.12.5. (HM 1.10.5).
The web server runs with "nobody" privileges, but nearly all files on the
file system are world-readable and can be extracted. This can be seen as
another vulnerability but according to the vendor this cannot be fixed in the
current solar inverter generation.
3) Backdoor Account (CVE-2019-19228)
The web interface has a backdoor user account with the username "today".
This user account has all permissions of all other users ("service",
"admin" and "user") together.
As its name suggests, the password for the user "today" changes every day
and seems to be different to other devices with the same firmware. This
means that some device-specific strings (e.g. the public device-ID) is
mixed up every day to generate a new password.
This account is being used by Fronius support in order to access the
device upon request from the user.
The fix for this issue has been split in two parts. The "password reset"
part has been fixed in version 3.14.1 (HM 1.12.1) and the second part providing
the
support account needs an architectural rework which will be fixed in a
future version (planned for 3.15.1 (HM 1.15.1)).
The passwords for all users of the web interface are stored in plain-text.
This can be seen as another vulnerability and it has been fixed in
version 3.14.1 (HM 1.12.1).
4) Outdated and Vulnerable Software Components
Outdated and vulnerable software components were found on the device during
a quick examination. Not all of the outdated components can be fixed by the
vendor
in the current solar inverter generation, see the workaround section below.
Proof of concept:
-
1) Unencrypted Communication
By using an interceptor proxy this vulnerability can be verified in a
simple way.
2) Authenticated Path Traversal (CVE-2019-19229)
By sending the following request to the following endpoint, a path traversal
vulnerability can be triggered:
http:///admincgi-bin/service.fcgi
Request to read the "/etc/shadow" password file:
┌──
|GET
/admincgi-bin/service.fcgi?action=download=../../../../../etc/shadow
└──
As response, the file is returned without line breaks. In this example the
line breaks are added for better readability:
┌──
|HTTP/1.1 200 OK
|Content-Type: appli