Multiple vulnerabilites in Fronius Solar Inverter Series (CVE-2019-19229, CVE-2019-19228)

Project Description

The solar inverter series of Fronius are prone to different application based vulnerabilities. Beside the unencrypted HTTP communication other issues like path traversal and outdated software was identified in the firmware of the devices. A backdoor user was found to be present on the device that changes its password every day and can be predicted when the algorithm is known.


Vendor description

“A passion for new technologies, intensive research and revolutionary solutions have been shaping the Fronius brand since 1945. As the technology leader, we find, develop and implement innovative methods to monitor and control energy for welding technology, photovoltaics and battery charging. We forge new paths, try something difficult and succeed where others have failed in achieving what seems to be impossible. […]

Source: http://www.fronius.com/en/about-fronius/company-values

Business recommendation

The vendor automatically performed a fleet update of the solar inverters in the field in order to patch them. Nevertheless, as not all devices could be reached through such an update, all remaining users are advised to install the patches provided by the vendor immediately.

Vulnerability overview/description

1) Unencrypted Communication

The whole communication is handled over HTTP. There is no possibility to activate an HTTPS web service. This vulnerability cannot be fixed by the vendor in the current solar inverter generation, see the workaround section below.

2) Authenticated Path Traversal (CVE-2019-19229)

A path traversal attack for authenticated users is possible. This allows getting access to the operating system of the device and access information like network configurations and connections to other hosts or potentially other sensitive information.

This vulnerability has been fixed in March 2019 in version 3.12.5. (HM 1.10.5).

The web server runs with “nobody” privileges, but nearly all files on the file system are world-readable and can be extracted. This can be seen as another vulnerability but according to the vendor this cannot be fixed in the current solar inverter generation.

3) Backdoor Account (CVE-2019-19228)

The web interface has a backdoor user account with the username “today”. This user account has all permissions of all other users (“service”, “admin” and “user”) together.

As its name suggests, the password for the user “today” changes every day and seems to be different to other devices with the same firmware. This means that some device-specific strings (e.g. the public device-ID) is mixed up every day to generate a new password. This account is being used by Fronius support in order to access the device upon request from the user.

The fix for this issue has been split in two parts. The “password reset” part has been fixed in version 3.14.1 (HM 1.12.1) and the second part providing the support account needs an architectural rework which will be fixed in a future version (planned for 3.15.1 (HM 1.15.1)).

The passwords for all users of the web interface are stored in plain-text. This can be seen as another vulnerability and it has been fixed in version 3.14.1 (HM 1.12.1).

4) Outdated and Vulnerable Software Components

Outdated and vulnerable software components were found on the device during a quick examination. Not all of the outdated components can be fixed by the vendor in the current solar inverter generation, see the workaround section below.

Proof of concept

1) Unencrypted Communication

By using an interceptor proxy this vulnerability can be verified in a simple way.

2) Authenticated Path Traversal (CVE-2019-19229)

By sending the following request to the following endpoint, a path traversal vulnerability can be triggered: http://<IP-Address>/admincgi-bin/service.fcgi

Request to read the /etc/shadow password file:
GET /admincgi-bin/service.fcgi?action=download&filename=../../../../../etc/shadow

As response, the file is returned without line breaks. In this example the line breaks are added for better readability:

HTTP/1.1 200 OK 
Content-Type: application/force-download 
Content-Disposition: attachment; filename=../../../../../etc/shadow 
Connection: close 
Date: Sun, 28 Oct 2018 08:20:27 GMT 
Server: webserver

root:$1$6MNb1Vq3$oU4TaPqQ782Y2ybdWLICh1:0:1:99999:7:::
nobody:*:10897:0:99999:7:::
messagebus:$1$6JrvtnWp$T.JvjxjbGTCD.jF7.hhb3.:15638:0:99999:7:::

By retrieving the file “/etc/issue” an easter-egg was found:

3) Backdoor Account (CVE-2019-19228)

The passwords of the web interface of the affected versions are stored in the file
/tmp/web_users.conf in clear text:

admin:<user-password>
service:<user-password>
today:<40-bit hash-value>

The password for “today”, which is generated by some algorithm, is suspected to be a sha1-hash which includes the system-time. A detailed firmware analysis can reveal the algorithm but has not been performed for this advisory.

4) Outdated and Vulnerable Software Components

By using the path traversal vulnerability (2) a lot of components are found to be outdated:

  • Busybox 1.22.1 (December 23, 2014) multiple CVEs
  • Lighttpd 1.4.33 (September 27, 2013) multiple CVEs
  • Linux kernel 4.1.39 (March 13, 2017) multiple CVEs

The used SDK is based on the OSELAS toolchain from 2011 and U-Boot from 2012:

  • gcc version 4.6.2 (OSELAS.Toolchain-2011.11.1)
  • U-Boot 2012.07-3

Vulnerable / tested versions

The Fronius Symo 10.0-3-M (1) SWVersion 3.10.3-1 (HM 1.9.2) was tested but more solar inverters from Fronius share this firmware. The following list has been provided by the vendor:

  • Symo Hybrid 3.0-3-M
  • Symo Hybrid 4.0-3-M
  • Symo Hybrid 5.0-3-M
  • Datamanager Box 2.0
  • Symo 3.0-3-M *)
  • Symo 3.0-3-S *)
  • Symo 3.7-3-M *)
  • Symo 3.7-3-S *)
  • Symo 4.5-3-M *)
  • Symo 4.5-3-S *)
  • Symo 5.0-3-M *)
  • Symo 6.0-3-M *)
  • Symo 7.0-3-M *)
  • Symo 8.2-3-M *)
  • Symo 10.0-3-M *) (tested)
  • Symo 10.0-3-M-OS *)
  • Symo 12.5-3-M *)
  • Symo 15.0-3-M *)
  • Symo 17.5-3-M *)
  • Symo 20.0-3-M *)
  • Galvo 1.5-1 *)
  • Galvo 2.0-1 *)
  • Galvo 2.5-1 *)
  • Galvo 3.0-1 *)
  • Galvo 3.1-1 *)
  • Galvo 1.5-1 208-240 *)
  • Galvo 2.0-1 208-240 *)
  • Galvo 2.5-1 208-240 *)
  • Galvo 3.1-1 208-240 *)
  • Primo 3.0-1 *)
  • Primo 3.5-1 *)
  • Primo 3.6-1 *)
  • Primo 4.0-1 *)
  • Primo 4.6-1 *)
  • Primo 5.0-1 *)
  • Primo 5.0-1 AUS *)
  • Primo 5.0-1 SC *)
  • Primo 6.0-1 *)
  • Primo 8.2-1 *)
  • Primo 3.8-1 208-240 *)
  • Primo 5.0-1 208-240 *)
  • Primo 6.0-1 208-240 *)
  • Primo 7.6-1 208-240 *)
  • Primo 8.2-1 208-240 *)
  • Primo 10.0-1 208-240 *)
  • Primo 11.4-1 208-240 *)
  • Primo 12.5-1 208-240 *)
  • Primo 15.0-1 208-240 *)
  • Symo 10.0-3 208-240 *)
  • Symo 10.0-3 480 *)
  • Symo 12.0-3 208-240 *)
  • Symo 12.5-3 480 *)
  • Symo 15.0-3 107 *)
  • Symo 15.0-3 480 *)
  • Symo 17.5-3 480 *)
  • Symo 20.0-3 480 *)
  • Symo 22.7-3 480 *)
  • Symo 24.0-3 480 *)
  • Eco 25.0-3-S *)
  • Eco 27.0-3-S *)
  • Symo Advanced 10.0-3 208-240 *)
  • Symo Advanced 12.0-3 208-240 *)
  • Symo Advanced 15.0-3 480 *)
  • Symo Advanced 20.0-3 480 *)
  • Symo Advanced 22.7-3 480 *)
  • Symo Advanced 24.0-3 480 *)

*) only with Datamanager card/box

Vendor contact timeline

2018-11-05Contacting vendor through contact@fronius.com, requesting security contact
2018-11-06Vendor replies and confirms security issues
2018-12-03Meeting with vendor to discuss security issues
2019-01 – 2019-11Multiple telcos discussing Fronius’ rollout plan and fixes
2019-03-18Release of version 3.12.5 (HM 1.10.5) which fixes the path traversal vulnerability
2019-07-30Release of version 3.14.1 (HM 1.12.1) which fixes many of the other reported issues
2019-08 – 2019-11Testing & Fleet update to version 3.14.1 (HM 1.12.1)
2019-12-03Coordinated release of security advisory

Solution

The vendor provides a patched firmware via their download portal. Visit the download page and search for “firmware update” and choose the “Fronius Solar.update Datamanager V3.14.1-10” firmware. The new version v3.14.1 (HM 1.12.1) which contains most of the security fixes can be downloaded directly as well: https://www.fronius.com/[…]/Firmware/SE_FW_Fronius_Solar.update_Datamanager_EN.zip

Some of the identified vulnerabilities (e.g. issue 1 and parts of 4) cannot be fixed in the current solar inverter product/software generation. Issue 2 (path traversal) has been fixed in version 3.12.5 (HM 1.10.5).

Workaround

Restrict network access to the device as much as possible and disable port forwarding from the Internet. Fronius Solar.Web access is still possible.

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

EOF Thomas Weber / @2019

Interested to work with the experts of SEC Consult? Send us your application
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.

Project Details

  • TitleMultiple vulnerabilites
  • ProductFronius Solar Inverter Series
  • Vulnerable versionSW Version <3.14.1 (HM 1.12.1)
  • Fixed version>=3.14.1 (vuln 2: 3.12.5 - HM 1.10.5), see solution section below
  • CVE numberCVE-2019-19228, CVE-2019-19229
  • ImpactHigh
  • Homepagehttps://www.fronius.com
  • Found2018-10-31
  • ByT. Weber (Office Vienna) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Blog. Blog

Back