| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| SMA Sunny Webbox | all | |
| SMA Sunny Webbox with Bluetooth | all |
A security researcher discovered that in the affected products a clickjacking vulnerability in the web frontend exists. An attacker could lure the user to click on a malicious website which seems to be the WebUI of the affected product. The affected products are out of support (End-of-Life 2015-12-31).
Vulnerability whereby an attacker could send a malicious link to an authenticated operator, which could allow remote attackers to perform a clickjacking attack on Sunny WebBox firmware version 1.6.1 and earlier.
A user can be tricked into unwanted actions on other systems while he expects to click on the Webbox WebUI.
Mitigation
If you can not replace your Webbox by a suitable up-to-date product then isolate the affected network segment by blocking all incoming network traffic. Especially never configure your network to allow a port forwarding to SMA Webbox.
Remediation
Replace out-of-support Sunny Webbox / Sunny Webbox with Bluetooth to a suitable up-to-date product. Please note technical information on the switchover to be found at sma-sunny.com/en/how-to-replace-old-data-logger/
SMA Solar Technology AG thanks the following parties for their efforts: