Share: Email | Twitter

ID

VDE-2022-061

Published

2023-03-15 10:00 (CET)

Last update

2023-03-23 06:30 (CET)

Vendor(s)

VARTA Storage GmbH

Product(s)

Article No┬░ Product Name Affected Version(s)
2709858310 - 90 Element backup < F21000400
2700852201 - 52 Element S1 < 2e.3.8.0
2700852301 - 53 Element S2 < 2e.3.8.0
2700852401 - 53 Element S2 < 2e.3.8.0
2709852201 - 53 Element S3 < 2e.3.8.0
2709852201 - 53 Element S3 < 2e.4.4.0
2709858202 - 13 Element S4 < D21010400
2703852201 One L/XL < 2e.3.8.0
2707852201 Pulse (not pulse neo) < C21010800

Summary

VARTA energy storage systems have a web user interface via which users and installers can access live data measurements and configure the system to their needs. It has been discovered that the corresponding credentials are hard-coded within the frontend and thus potentially exploitable.


Last Update:

April 12, 2023, 1:23 p.m.

Weakness

Use of Hard-coded Credentials  (CWE-798) 

Summary

Hard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network.


Impact

The vulnerability allows unauthorized read and write access to the web backend. This allows reading and writing of parameters that are not intended for this purpose (e.g. connectivity settings, grid parameters). This can impact the operational availability and integrity. The safety of the battery storage device is not affected because safety relevant parameters are not accessible via the web backend.

Solution

Mitigation

General countermeasures: Restrict HTTP traffic to the energy storage system by using an inbound firewall or other measures on the network level.

Remediation

Product-specific countermeasures: A fixed version will be rolled out OTA as soon as it is available. Rollout for VARTA element backup will start end of Q1/2023 followed by Element S4.

Reported by

Thanks also go to the security researcher Andreas Dolp for reporting and collaboration on this topic.

VARTA thanks CERT@VDE for the coordination and support with this publication.