Summary
VARTA energy storage systems have a web user interface via which users and installers can access live data measurements and configure the system to their needs. It has been discovered that the corresponding credentials are hard-coded within the frontend and thus potentially exploitable.
Impact
The vulnerability allows unauthorized read and write access to the web backend. This allows reading and writing of parameters that are not intended for this purpose (e.g. connectivity settings, grid parameters). This can impact the operational availability and integrity. The safety of the battery storage device is not affected because safety relevant parameters are not accessible via the web backend.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 2700852201 - 52 | Element S1 | Firmware < 2e.3.8.0 |
| 2700852301 - 53, 2700852401 - 53 | Element S2 | Firmware < 2e.3.8.0 |
| 2709852201 - 53 | Element S3 | Firmware < 2e.3.8.0 |
| 2709858202 - 13 | Element S4 | Firmware < 2e.3.8.0 |
| 2709858310 - 90 | Element backup | Firmware < F21000400 |
| 2703852201 | One L/XL | Firmware < 2e.4.4.0 |
| 2707852201 | Pulse (not pulse neo) | Firmware < D21010400 |
Vulnerabilities
Expand / Collapse allHard-coded credentials in Web-UI of multiple VARTA Storage products in multiple versions allows an unauthorized attacker to gain administrative access to the Web-UI via network.
Mitigation
General countermeasures: Restrict HTTP traffic to the energy storage system by using an inbound firewall or other measures on the network level.
Remediation
A fixed version will be rolled out OTA as soon as it is available. Rollout for VARTA element backup will start end of Q1/2023 followed by Element S4.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 15.03.2023 10:00 | Initial revision. |