EnBW – SENEC legacy storage box: V1-V3 firmware has been identified as being affected by a vulnerability that exposes sensitive information without requiring authentication. This flaw was discovered by researchers Ph0s[4] and R0ckE7, who reported it to the manufacturer, EnBW. The manufacturer subsequently rolled out a patch for the vulnerability, but the public disclosure was made on November 1, 2023.
The vulnerability allowed unauthenticated attackers to access log information via the URL http://SENEC-IP/log/YYYY/MM/DD.log, where SENEK-IP would be replaced by the specific IP address of the affected system and YYYY/MM/DD would be the year, month, and day of the desired log file. This log file contained sensitive information about the operating status of the photovoltaic system, software releases, and usernames used for login.
By exploiting this vulnerability, attackers could draw conclusions about the effectiveness of various types of attacks, evaluate changes in the logged operating status, target known vulnerabilities related to the software release of the application itself and any used third-party libraries, and use it as a stepping stone for deeper attacks, such as brute force attacks involving the usernames provided in the log.
Upon discovering the vulnerability on June 1, 2022, Ph0s[4] and R0ckE7 reported it to the manufacturer on June 5, 2023. EnBW took swift action, and by September 11, 2023, a patch was rolled out to affected devices. The public disclosure of the vulnerability was made on November 1, 2023.
The overall Common Vulnerability Scoring System (CVSS) score for this vulnerability was 7.2, indicating a high-risk level. However, the manufacturer has since fixed the vulnerability, mitigating the risk of exploitation.
The affected product, EnBW – SENEC legacy storage box: V1-V3, is manufactured by SENEC, which is a part of EnBW. SENEC has been a key player in promoting energy independence and sustainability through the self-generation of solar electricity since its founding in 2009. The company’s flagship product, SENEC.Home, a smart electricity storage device, aims to provide a sustainable and affordable supply of solar electricity for households.
In response to the public disclosure, EnBW issued a statement thanking the researchers for bringing the vulnerability to their attention. The company assured its customers that the patch for the vulnerability has been rolled out and that the systems are now secure.
In conclusion, the EnBW – SENEC legacy storage box: V1-V3 firmware was found to have a serious vulnerability that allowed unauthorized access to sensitive log information. However, the manufacturer, EnBW, acted promptly and responsibly by fixing the vulnerability and rolling out the patch to affected devices, ensuring the security and integrity of their product.