TROYANOSYVIRUS
Retour aux CVEs

CVE-2017-9857

N/A

Description

An issue was discovered in SMA Solar Technology products. The SMAdata2+ communication protocol does not properly use authentication with encryption: it is vulnerable to man in the middle, packet injection, and replay attacks. Any setting change, authentication packet, scouting packet, etc. can be replayed, injected, or used for a man in the middle session. All functionalities available in Sunny Explorer can effectively be done from anywhere within the network as long as an attacker gets the packet setup correctly. This includes the authentication process for all (including hidden) access levels and the changing of settings in accordance with the gained access rights. Furthermore, because the SMAdata2+ communication channel is unencrypted, an attacker capable of understanding the protocol can eavesdrop on communications. NOTE: the vendor's position is that authentication with encryption is not required on an isolated subnetwork. Also, only Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 could potentially be affected

Details CVE

Score CVSS v3.1N/A
Publie8/5/2017
Derniere modification4/20/2025
Sourcenvd
Observations honeypot0

Produits affectes

sma:sunny_boy_1.5sma:sunny_boy_1.5_firmwaresma:sunny_boy_2.5sma:sunny_boy_2.5_firmwaresma:sunny_boy_3.0sma:sunny_boy_3.0_firmwaresma:sunny_boy_3.6sma:sunny_boy_3.6_firmwaresma:sunny_boy_3000tlsma:sunny_boy_3000tl_firmwaresma:sunny_boy_3600sma:sunny_boy_3600_firmwaresma:sunny_boy_3600tlsma:sunny_boy_3600tl_firmwaresma:sunny_boy_4.0sma:sunny_boy_4.0_firmwaresma:sunny_boy_4000tlsma:sunny_boy_4000tl_firmwaresma:sunny_boy_5.0sma:sunny_boy_5.0_firmwaresma:sunny_boy_5000sma:sunny_boy_5000_firmwaresma:sunny_boy_5000tlsma:sunny_boy_5000tl_firmwaresma:sunny_boy_storage_2.5sma:sunny_boy_storage_2.5_firmwaresma:sunny_central_1000cp_xtsma:sunny_central_1000cp_xt_firmwaresma:sunny_central_2200sma:sunny_central_2200_firmwaresma:sunny_central_500cp_xtsma:sunny_central_500cp_xt_firmwaresma:sunny_central_630cp_xtsma:sunny_central_630cp_xt_firmwaresma:sunny_central_720cp_xtsma:sunny_central_720cp_xt_firmwaresma:sunny_central_760cp_xtsma:sunny_central_760cp_xt_firmwaresma:sunny_central_800cp_xtsma:sunny_central_800cp_xt_firmwaresma:sunny_central_850cp_xtsma:sunny_central_850cp_xt_firmwaresma:sunny_central_900cp_xtsma:sunny_central_900cp_xt_firmwaresma:sunny_central_storage_1000sma:sunny_central_storage_1000_firmwaresma:sunny_central_storage_2200sma:sunny_central_storage_2200_firmwaresma:sunny_central_storage_2500-evsma:sunny_central_storage_2500-ev_firmwaresma:sunny_central_storage_500sma:sunny_central_storage_500_firmwaresma:sunny_central_storage_630sma:sunny_central_storage_630_firmwaresma:sunny_central_storage_720sma:sunny_central_storage_720_firmwaresma:sunny_central_storage_760sma:sunny_central_storage_760_firmwaresma:sunny_central_storage_800sma:sunny_central_storage_800_firmwaresma:sunny_central_storage_850sma:sunny_central_storage_850_firmwaresma:sunny_central_storage_900sma:sunny_central_storage_900_firmwaresma:sunny_tripower_12000tlsma:sunny_tripower_12000tl_firmwaresma:sunny_tripower_15000tlsma:sunny_tripower_15000tl_firmwaresma:sunny_tripower_20000tlsma:sunny_tripower_20000tl_firmwaresma:sunny_tripower_25000tlsma:sunny_tripower_25000tl_firmwaresma:sunny_tripower_5000tlsma:sunny_tripower_5000tl_firmwaresma:sunny_tripower_60sma:sunny_tripower_60_firmwaresma:sunny_tripower_core1sma:sunny_tripower_core1_firmware

Faiblesses (CWE)

CWE-287

References

http://www.sma.de/en/statement-on-cyber-security.html(cve@mitre.org)
http://www.sma.de/fileadmin/content/global/specials/documents/cyber-security/Whitepaper-Cyber-Security-AEN1732_07.pdf(cve@mitre.org)
https://horusscenario.com/CVE-information/(cve@mitre.org)
http://www.sma.de/en/statement-on-cyber-security.html(af854a3a-2127-422b-91ae-364da2661108)
http://www.sma.de/fileadmin/content/global/specials/documents/cyber-security/Whitepaper-Cyber-Security-AEN1732_07.pdf(af854a3a-2127-422b-91ae-364da2661108)
https://horusscenario.com/CVE-information/(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.