CVE-2017-9859
📋 TL;DR
SMA Solar Technology inverters use a weak hashing algorithm to encrypt passwords for REGISTER requests, allowing attackers to crack passwords offline and potentially register with SMA servers. This affects Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 inverters. The vendor considers exploitation probability extremely low.
💻 Affected Systems
- Sunny Boy TLST-21
- Sunny Boy TL-21
- Sunny Tripower TL-10
- Sunny Tripower TL-30
📦 What is this software?
Sunny Central Storage 1000 Firmware by Sma
View all CVEs affecting Sunny Central Storage 1000 Firmware →
Sunny Central Storage 2200 Firmware by Sma
View all CVEs affecting Sunny Central Storage 2200 Firmware →
Sunny Central Storage 2500 Ev Firmware by Sma
View all CVEs affecting Sunny Central Storage 2500 Ev Firmware →
Sunny Central Storage 500 Firmware by Sma
View all CVEs affecting Sunny Central Storage 500 Firmware →
Sunny Central Storage 630 Firmware by Sma
View all CVEs affecting Sunny Central Storage 630 Firmware →
Sunny Central Storage 720 Firmware by Sma
View all CVEs affecting Sunny Central Storage 720 Firmware →
Sunny Central Storage 760 Firmware by Sma
View all CVEs affecting Sunny Central Storage 760 Firmware →
Sunny Central Storage 800 Firmware by Sma
View all CVEs affecting Sunny Central Storage 800 Firmware →
Sunny Central Storage 850 Firmware by Sma
View all CVEs affecting Sunny Central Storage 850 Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to SMA servers, potentially manipulating inverter operations or accessing sensitive solar infrastructure data.
Likely Case
Limited impact due to vendor's position on low probability and specific affected models; potential unauthorized registration but limited operational impact.
If Mitigated
Minimal impact if proper network segmentation and monitoring are implemented, as exploitation requires specific conditions.
🎯 Exploit Status
Exploitation requires offline password cracking and network access to registration requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor documentation for specific firmware updates
Vendor Advisory: http://www.sma.de/en/statement-on-cyber-security.html
Restart Required: Yes
Instructions:
1. Consult SMA Solar Technology security documentation. 2. Apply recommended firmware updates. 3. Restart affected inverters. 4. Verify updated firmware version.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected inverters from untrusted networks to prevent registration request interception.
Monitoring Registration Traffic
allMonitor network traffic for REGISTER requests and investigate anomalies.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate inverters
- Monitor for unusual registration attempts and network traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check inverter model and firmware version against vendor's affected products list.Check Version:
Consult SMA inverter management interface or documentation for version check commands.Verify Fix Applied:
Verify firmware version has been updated to vendor-recommended secure version.📡 Detection & Monitoring
Log Indicators:
- Unusual REGISTER request patterns
- Failed registration attempts from unknown sources
Network Indicators:
- Unexpected outbound traffic to SMA servers
- Anomalous registration protocol traffic
SIEM Query:
source_ip IN (inverter_ips) AND dest_port = (registration_port) AND protocol = 'REGISTER'🔗 References
- http://www.sma.de/en/statement-on-cyber-security.html
- http://www.sma.de/fileadmin/content/global/specials/documents/cyber-security/Whitepaper-Cyber-Security-AEN1732_07.pdf
- https://horusscenario.com/CVE-information/
- http://www.sma.de/en/statement-on-cyber-security.html
- http://www.sma.de/fileadmin/content/global/specials/documents/cyber-security/Whitepaper-Cyber-Security-AEN1732_07.pdf
- https://horusscenario.com/CVE-information/
