SMA Solar Hard-Coded Account Hole
Thursday, September 3, 2015 @ 06:09 PM gHale
There is a hard-coded account vulnerability in SMA Solar Technology AG’s Sunny WebBox product, but the catch is SMA is planning to discontinue the sale of this product and is not planning to fix old versions, according to a report on ICS-CERT.
Instead, the company is reaching out to WebBox users with compensating security recommendations.
This vulnerability, discovered by Aleksandr Timorin of PT Security, is remotely exploitable. All versions of the Sunny WebBox suffer from the issue, where a remote attacker could exploit this vulnerability to gain full access to the system.
SMA Solar Technology AG is a German solar energy equipment supplier.
The affected product, Sunny WebBox, sees use for remote monitoring and maintenance of medium-sized photovoltaic plants. According to SMA, Sunny WebBox devices see action in the Energy sector on a global basis.
Sunny WebBox can end up accessed using hard-coded passwords a user cannot change or disable.
CVE-2015-3964 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
No known public exploits specifically target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.
SMA Solar Technology AG has sent out security recommendations via its Sunny Portal Online Platform to WebBox users. It recommends using port-forwarding or a VPN to access these devices remotely. Please refer to the Sunny Portal Online Platform or contact SMA customer service for more information.