SEDG-2024-1 | SolarEdge

SEDG-2024-1

Advisory ID:

SEDG-2024-1


CVE(s):

CVE-2024- 28756


Issue Summary:

MySolarEdge android app before version 2.20.1 does not properly verify TLS server certificates.
 

CVSSv3 as reported by reporter:

Score 5.9, Medium
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N


CVSSv3 SolarEdge analysis:

Score 5.9, Medium
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N


Advisory publication date:

21.3.2024


Update on:

21.3.2024

________________________________________
 

1. Advisory Details


Impacted products and versions

- MySolarEdge android app before version 2.20.1.

- Not impacted: MySolarEdge iOS app
 

Description:
MySolarEdge android app before version 2.20.1 does not properly verify TLS server certificates.


Known attack vectors:
A malicious actor may be able to exploit the vulnerability by presenting invalid certificates leading to a machine-in-the-middle attack.


Resolution:
Upgrading the MySolarEdge android App to version 2.20.1 or the latest version in the play store.


Workarounds:
N/A


Additional documentation:
N/A


Acknowledgments:
SolarEdge would like to thank researcher Tobias Jäger from the firm SySS GmbH for reporting this issue.



2. References

NVD

MITRE


3. Change log

N/A
 

4. Contact and information

SolarEdge Cyber Security Policy

EMAIL: Product.Security@solaredge.com

Off
Off