CVE-2019-19228

Q: What is the severity of CVE-2019-19228?

CVE-2019-19228 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass authentication on Fronius Solar Inverter devices by reading the password for the 'today' account from the /tmp/web_users.conf file. This affects Fronius Solar Inverter devices with firmware versions before 3.14.1 (HM 1.12.1). Attackers can gain unauthorized access to device management interfaces.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass authentication on Fronius Solar Inverter devices by reading the password for the 'today' account from the /tmp/web_users.conf file. This affects Fronius Solar Inverter devices with firmware versions before 3.14.1 (HM 1.12.1). Attackers can gain unauthorized access to device management interfaces.

💻 Affected Systems

Products:

Fronius Solar Inverter Series

Versions: Firmware versions before 3.14.1 (HM 1.12.1)

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running affected firmware versions are vulnerable by default. The vulnerability exists in the web interface authentication mechanism.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of solar inverter systems allowing attackers to manipulate power generation, cause equipment damage, or use devices as network pivots.

🟠

Likely Case

Unauthorized access to device management interfaces leading to configuration changes, data theft, or disruption of monitoring.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external access to management interfaces.

🌐 Internet-Facing: HIGH - Many solar inverters are directly internet-accessible for remote monitoring, making them vulnerable to widespread exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability if they can reach the management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only reading a file accessible to the web service. Public exploit details are available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 3.14.1 (HM 1.12.1) or later

Vendor Advisory: https://www.fronius.com/en/solar-energy/installers-partners/technical-data/service-news/all-news/important-security-information-for-fronius-datamanager-and-datalogger-web

Restart Required: Yes

Instructions:

1. Download latest firmware from Fronius website. 2. Upload firmware to device via web interface. 3. Apply update. 4. Reboot device. 5. Verify firmware version is 3.14.1 or later.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate solar inverter management interfaces from untrusted networks

Access Control Lists

all

Restrict access to inverter management ports (typically 80/443) to authorized IP addresses only

🧯 If You Can't Patch

Implement strict network segmentation to isolate inverter management interfaces from untrusted networks
Deploy network-based intrusion detection to monitor for authentication bypass attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface. If version is below 3.14.1 (HM 1.12.1), device is vulnerable.

Check Version:

Check web interface status page or use: curl -s http://[inverter-ip]/status | grep firmware

Verify Fix Applied:

Verify firmware version is 3.14.1 or later. Test authentication to confirm password is no longer stored in /tmp/web_users.conf.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful login from same IP
Access to /tmp/web_users.conf file

Network Indicators:

Unauthorized access to management ports (80/443) from unexpected sources
Multiple authentication attempts with 'today' account

SIEM Query:

source="inverter_logs" AND (event="auth_failure" OR event="file_access" AND file="/tmp/web_users.conf")

📊 Metadata

CVE ID: CVE-2019-19228

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-312

Published: December 4, 2019

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/155562/Fronius-Solar-Inverter-Series-Insecure-Communication-Path-Traversal.html Exploit,Third Party Advisory,VDB Entry
https://sec-consult.com/en/blog/advisories/multiple-vulnerabilites-in-fronius-solar-inverter-series-cve-2019-19229-cve-2019-19228/ Exploit,Third Party Advisory
https://seclists.org/bugtraq/2019/Dec/5 Exploit,Mailing List,Third Party Advisory
http://packetstormsecurity.com/files/155562/Fronius-Solar-Inverter-Series-Insecure-Communication-Path-Traversal.html Exploit,Third Party Advisory,VDB Entry
https://sec-consult.com/en/blog/advisories/multiple-vulnerabilites-in-fronius-solar-inverter-series-cve-2019-19229-cve-2019-19228/ Exploit,Third Party Advisory
https://seclists.org/bugtraq/2019/Dec/5 Exploit,Mailing List,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Datamanager Box 2.0 Firmware by Fronius

Eco 25.0 3 S Firmware by Fronius

Eco 27.0 3 S Firmware by Fronius

Galvo 1.5 1 208 240 Firmware by Fronius

Galvo 1.5 1 Firmware by Fronius

Galvo 2.0 1 208 240 Firmware by Fronius

Galvo 2.0 1 Firmware by Fronius

Galvo 2.5 1 208 240 Firmware by Fronius

Galvo 2.5 1 Firmware by Fronius

Galvo 3.0 1 Firmware by Fronius

Galvo 3.1 1 208 240 Firmware by Fronius

Galvo 3.1 1 Firmware by Fronius

Primo 10.0 1 208 240 Firmware by Fronius

Primo 11.4 1 208 240 Firmware by Fronius

Primo 12.5 1 208 240 Firmware by Fronius

Primo 15.0 1 208 240 Firmware by Fronius

Primo 3.0 1 Firmware by Fronius

Primo 3.5 1 Firmware by Fronius

Primo 3.6 1 Firmware by Fronius

Primo 3.8 1 208 240 Firmware by Fronius

Primo 4.0 1 Firmware by Fronius

Primo 4.6 1 Firmware by Fronius

Primo 5.0 1 208 240 Firmware by Fronius

Primo 5.0 1 Aus Firmware by Fronius

Primo 5.0 1 Firmware by Fronius

Primo 5.0 1 Sc Firmware by Fronius

Primo 6.0 1 208 240 Firmware by Fronius

Primo 6.0 1 Firmware by Fronius

Primo 7.6 1 208 240 Firmware by Fronius

Primo 8.2 1 208 240 Firmware by Fronius

Primo 8.2 1 Firmware by Fronius

Symo 10.0 3 208 240 Firmware by Fronius

Symo 10.0 3 480 Firmware by Fronius

Symo 10.0 3 M Firmware by Fronius

Symo 10.0 3 M Os Firmware by Fronius

Symo 12.0 3 208 240 Firmware by Fronius

Symo 12.5 3 480 Firmware by Fronius

Symo 12.5 3 M Firmware by Fronius

Symo 15.0 3 107 Firmware by Fronius

Symo 15.0 3 480 Firmware by Fronius

Symo 15.0 3 M Firmware by Fronius

Symo 17.5 3 480 Firmware by Fronius

Symo 17.5 3 M Firmware by Fronius

Symo 20.0 3 480 Firmware by Fronius

Symo 20.0 3 M Firmware by Fronius

Symo 22.7 3 480 Firmware by Fronius

Symo 24.0 3 480 Firmware by Fronius

Symo 3.0 3 M Firmware by Fronius

Symo 3.0 3 S Firmware by Fronius

Symo 3.7 3 M Firmware by Fronius

Symo 3.7 3 S Firmware by Fronius

Symo 4.5 3 M Firmware by Fronius

Symo 4.5 3 S Firmware by Fronius

Symo 5.0 3 M Firmware by Fronius

Symo 6.0 3 M Firmware by Fronius

Symo 7.0 3 M Firmware by Fronius

Symo 8.2 3 M Firmware by Fronius

Symo Advanced 10.0 3 208 240 Firmware by Fronius

Symo Advanced 12.0 3 208 240 Firmware by Fronius

Symo Advanced 15.0 3 480 Firmware by Fronius

Symo Advanced 20.0 3 480 Firmware by Fronius

Symo Advanced 22.7 3 480 Firmware by Fronius

Symo Advanced 24.0 3 480 Firmware by Fronius

Symo Hybrid 3.0 3 M Firmware by Fronius

Symo Hybrid 4.0 3 M Firmware by Fronius

Symo Hybrid 5.0 3 M Firmware by Fronius