Willem Westerhof

**Name of the Vulnerable Software and Affected Versions** Lush 2 versions through 2020-02-25 Tk-star nan versions (affected versions not specified) Epson products versions (affected versions not specified) One2Track versions (affected versions not specified) Brother printers versions (affected versions not specified) Svakom Nan versions (affected versions not specified) Loven nan versions (affected versions not specified) Loven versions (affected versions not specified) **Description** The issue is related to the lack of Bluetooth traffic encryption, allowing an attacker to hijack an ongoing Bluetooth connection and gain full control over the device. This vulnerability affects multiple products and versions, putting them at risk of exploitation. Users are urged to update to the latest version to mitigate risks. The vulnerability can lead to remote code execution. **Recommendations** For Lush 2 versions through 2020-02-25, update to a version released after 2020-02-25 to mitigate the risk. For Tk-star nan, update to the latest version to mitigate risks. For Epson products, ensure your systems are updated to the latest firmware to mitigate potential threats. For One2Track, update to the latest release to mitigate risks. For Brother printers, update to the latest firmware immediately to protect your devices and disable unnecessary network services. For Svakom Nan, update to the latest version to mitigate risks. For Loven nan, update to the latest version and apply all recommended patches to mitigate risks. For Loven, update to the latest release to mitigate risks.

**Name of the Vulnerable Software and Affected Versions** Siime Eye version 14.1.00000001.3.330.0.0.3.14 **Description** An issue was discovered in Siime Eye where the password for the root user is hashed using an old and deprecated hashing technique. Because of this deprecated hashing, the success probability of an attacker in an offline cracking attack is greatly increased. **Recommendations** For Siime Eye version 14.1.00000001.3.330.0.0.3.14, update to the latest firmware to mitigate the risk of exploitation. As a temporary workaround, consider restricting network access to the device until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Siime Eye version 14.1.00000001.3.330.0.0.3.14 **Description** An issue was discovered in Siime Eye, which uses a default SSID value. This makes it easier for remote attackers to discover the physical locations of many Siime Eye devices, violating the privacy of users who do not wish to disclose their ownership of this type of device. Various resources, such as wigle.net, can be used for mapping SSIDs to physical locations. **Recommendations** To resolve the issue, update the Siime Eye device to the latest firmware and apply all recommended security patches. Ensure that the device is configured to use a unique SSID value instead of the default one. As a temporary workaround, consider disabling the device's wireless functionality until a patch is available. Restrict access to the device's network to minimize the risk of exploitation. Avoid using resources like wigle.net to map SSIDs to physical locations until the issue is resolved. Note: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Siime Eye version 14.1.00000001.3.330.0.0.3.14 **Description** An issue was discovered in Siime Eye where information on all users, including passwords, can be found in cleartext in a backup file created through the web interface. An attacker capable of accessing the web interface can create the backup file. **Recommendations** For Siime Eye version 14.1.00000001.3.330.0.0.3.14, as a temporary workaround, consider restricting access to the web interface to minimize the risk of exploitation. Additionally, avoid using the backup feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Siime Eye version 14.1.00000001.3.330.0.0.3.14 **Description** An issue was discovered in the software, where there is no CSRF protection. This issue affects multiple products, including Epson, Sannce, Svakom, and Tk-star. However, specific details about the affected versions of these products are not provided. To mitigate risks, it is recommended to update the software to the latest version and apply all available patches. **Recommendations** For Siime Eye version 14.1.00000001.3.330.0.0.3.14, update the software to the latest version to mitigate the risk of exploitation. As a temporary workaround, consider implementing CSRF protection measures until a patch is available. For other affected products, including Epson, Sannce, Svakom, and Tk-star, update to the latest firmware and apply all recommended patches to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Epson Expression Home XP255 version 20.08.FM10I8 **Description** An issue was discovered where POST requests do not require anti-CSRF tokens or other mechanisms for validating that the request is from a legitimate source. This allows for CSRF attacks to be used to send text directly to the RAW printer interface, potentially delivering unwanted printouts to end users. **Recommendations** For Epson Expression Home XP255 version 20.08.FM10I8, consider disabling the ability to send POST requests to the printer interface until a patch is available. Restrict access to the printer's RAW interface to minimize the risk of exploitation. Update to the latest firmware as soon as it becomes available to mitigate this issue.

**Name of the Vulnerable Software and Affected Versions** Alecto IVM-100 2019-11-12 Tk-star nan (affected versions not specified) Svakom Nan (affected versions not specified) Alecto nan (affected versions not specified) Loven nan (affected versions not specified) Sannce products (affected versions not specified) Brother printers (affected versions not specified) **Description** An issue was discovered in the custom UDP protocol used by the devices to start and control video and audio services. The protocol has been partially reverse engineered, revealing that no password or username is transferred over this protocol. As a result, it is possible to set up sessions with the device over the Internet using the encoded UID, since authentication happens at the client side. **Recommendations** For Alecto IVM-100 2019-11-12, consider disabling the custom UDP protocol until a patch is available. For Tk-star nan, update to the latest version immediately to mitigate risks. For Svakom Nan, update to the latest version immediately to mitigate risks. For Alecto nan, update to the latest release to mitigate risks. For Loven nan, update to the latest version to mitigate potential threats. For Sannce products, update to the latest firmware and follow security best practices. For Brother printers, update to the latest firmware provided by Brother to mitigate risks. At the moment, there is no information about a newer version that contains a fix for this vulnerability for some of the affected products.

**Name of the Vulnerable Software and Affected Versions** Alecto IVM-100 version 2019-11-12 **Description** An issue was discovered where a large amount of information is disclosed when attaching to the serial interface at the board level and rebooting the device. This includes the view password and the password of the Wi-Fi access point that the device used. **Recommendations** For Alecto IVM-100 version 2019-11-12, as a temporary workaround, consider restricting access to the serial interface at the board level until a patch is available. However, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WiZ Colors A60 version 1.14.0 **Description** An issue was discovered where the device sends unnecessary information to the cloud controller server, including the local IP address and the SSID of the Wi-Fi network it is connected to. Although this information is sent encrypted, it decreases the privacy of the end user. The sent SSID can be mapped to physical locations using resources like wigle.net. **Recommendations** For WiZ Colors A60 version 1.14.0, consider restricting the device's ability to send this unnecessary information to the cloud controller server as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WiZ Colors A60 version 1.14.0 **Description** An issue was discovered where API credentials are locally logged, potentially exposing sensitive information. **Recommendations** For WiZ Colors A60 version 1.14.0, consider restricting access to the locally logged API credentials until a patch is available. As a temporary workaround, review and securely store or remove any locally logged API credentials to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WiZ Colors A60 version 1.14.0 **Description** An issue was discovered where Wi-Fi credentials are stored in cleartext in flash memory. This presents an information-disclosure risk for a discarded or resold device. **Recommendations** For WiZ Colors A60 version 1.14.0, consider updating to a newer version that securely stores Wi-Fi credentials to mitigate the risk of information disclosure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 (affected versions not specified) **Description** An issue was discovered that allows control of the camera's pan/zoom/tilt functionality using TELNET without a password. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SMA Solar Technology products, specifically Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30 **Description** An issue in SMA Solar Technology products allows for cross-site request forgery, enabling an attacker to change settings in the inverters, including the user password, by issuing a POST request to a vulnerable endpoint, such as '/api/v1/settings', when a user has Sunny Explorer running and visits a malicious host. This could result in the compromise of the device, with the attacker gaining access to all Sunny Explorer settings available to the authenticated user, and potentially even settings that the user does not have access to. The vendor notes that exploitation is unlikely due to the rare usage of Sunny Explorer. **Recommendations** For Sunny Boy TLST-21 and TL-21 and Sunny Tripower TL-10 and TL-30, consider disabling Sunny Explorer until a patch is available to prevent potential cross-site request forgery attacks. Restrict access to the inverters' settings to minimize the risk of exploitation. Avoid using Sunny Explorer while visiting untrusted websites to reduce the likelihood of an attack. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SMA Solar Technology products (affected versions not specified) Sunny Boy versions TLST-21 and TL-21 Sunny Tripower versions TL-10 and TL-30 **Description** An issue was discovered in SMA Solar Technology products where sending nonsense data or setting up a TELNET session to the database port of Sunny Explorer can cause the application to crash. The vendor reports that the maximum possible damage is a communication failure. **Recommendations** For SMA Solar Technology products, consider restricting access to the database port of Sunny Explorer to minimize the risk of exploitation. For Sunny Boy versions TLST-21 and TL-21, and Sunny Tripower versions TL-10 and TL-30, avoid using the TELNET session to the database port until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SMA Solar Technology products, specifically Sunny Boy TLST-21, TL-21, and Sunny Tripower TL-10, TL-30 **Description** An issue allows an attacker to change the plant time without authentication, potentially affecting system time and making timestamps for data analysis unreliable. However, the vendor reports that this issue is largely irrelevant as it only affects log-entry timestamps and the plant time would later be reset via NTP. **Recommendations** For Sunny Boy TLST-21, TL-21, and Sunny Tripower TL-10, TL-30, consider restricting access to time-setting functionality until a patch is available. As a temporary workaround, ensure NTP is properly configured to reset the plant time and minimize the impact of the issue.

**Name of the Vulnerable Software and Affected Versions** SMA Solar Technology products (affected versions not specified) **Description** An Incorrect Password Management issue was discovered in SMA Solar Technology products. Default passwords exist that are rarely changed. User passwords will almost always be default. Installer passwords are expected to be default or similar across installations installed by the same company. Hidden user accounts have a fixed password for all devices, which can never be changed by a user. Other vulnerabilities exist that allow an attacker to get the passwords of these hidden user accounts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SMA Solar Technology products (affected versions not specified) Sunny Boy versions TLST-21 and TL-21 Sunny Tripower versions TL-10 and TL-30 **Description** An issue was discovered in SMA Solar Technology products, where all inverters have a weak password policy for the user and installer password. There are no complexity requirements or length requirements set for passwords. Additionally, strong passwords are impossible due to a maximum of 12 characters and a limited set of characters. **Recommendations** For SMA Solar Technology products, consider implementing a stronger password policy with complexity and length requirements. For Sunny Boy TLST-21 and TL-21, and Sunny Tripower TL-10 and TL-30, restrict access to the user and installer password until a stronger password policy can be implemented. As a temporary workaround, consider disabling the default password functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SMA Solar Technology products (affected versions not specified) Sunny Boy versions TLST-21 and TL-21 Sunny Tripower versions TL-10 and TL-30 **Description** An issue was discovered in SMA Solar Technology products where plaintext passwords can be obtained by sniffing for specific packets on the localhost as they are typed into Sunny Explorer by the user. These passwords can then be used to compromise the overall device. The vendor reports that the exploitation likelihood is low because these packets are usually sent only once during installation. **Recommendations** For Sunny Boy versions TLST-21 and TL-21, consider restricting access to the device during installation to minimize the risk of exploitation. For Sunny Tripower versions TL-10 and TL-30, avoid using the device on unsecured networks until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SMA Solar Technology products (affected versions not specified) Sunny Boy versions TLST-21 and TL-21 Sunny Tripower versions TL-10 and TL-30 **Description** An issue was discovered in SMA Solar Technology products, related to the Grid Guard system, which is a secondary system available for Installers. This system uses predictable codes, and a single Grid Guard code can be used on any SMA inverter. When combined with the installer account, any such code allows changing very sensitive parameters. The vendor reports that Grid Guard is not an authentication feature, but only a tracing feature. **Recommendations** For Sunny Boy TLST-21 and TL-21, consider restricting access to the Grid Guard system until a fix is available. For Sunny Boy TL-21, restrict access to the Grid Guard system until a fix is available. For Sunny Tripower TL-10 and TL-30, restrict access to the Grid Guard system until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SMA Solar Technology products (affected versions not specified) Sunny Boy versions TLST-21 and TL-21 Sunny Tripower versions TL-10 and TL-30 **Description** An issue was discovered in SMA Solar Technology products where sniffed passwords from SMAdata2+ communication can be decrypted easily due to a simple encryption algorithm. This allows an attacker to find the plaintext passwords and authenticate to the device. **Recommendations** For Sunny Boy versions TLST-21 and TL-21, consider restricting access to SMAdata2+ communication until a secure encryption method is implemented. For Sunny Tripower versions TL-10 and TL-30, avoid using the simple encryption algorithm for password protection and explore alternative secure authentication methods. At the moment, there is no information about a newer version that contains a fix for this vulnerability.