Share: Email | Twitter

ID

VDE-2024-019

Published

2024-05-14 08:00 (CEST)

Last update

2024-05-14 09:31 (CEST)

Vendor(s)

PHOENIX CONTACT GmbH & Co. KG

Product(s)

Article No┬░ Product Name Affected Version(s)
1139022 CHARX SEC-3000 <= 1.5.1
1139018 CHARX SEC-3050 <= 1.5.1
1139012 CHARX SEC-3100 <= 1.5.1
1138965 CHARX SEC-3150 <= 1.5.1

Summary

Multiple vulnerabilities have been discovered in the Firmware of CHARX SEC charge controllers.

Vulnerabilities



Last Update
March 19, 2024, 9:18 a.m.
Weakness
Untrusted Search Path (CWE-426)
Summary

A local low privileged attacker can use an untrusted search path in a CHARX system utility to gain root privileges. 

Last Update
March 19, 2024, 9:22 a.m.
Weakness
Improper Input Validation (CWE-20)
Summary

A local attacker with low privileges can use a command injection vulnerability to gain root privileges due to improper input validation using the OCPP Remote service.

Last Update
March 19, 2024, 9:23 a.m.
Weakness
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
Summary

A local attacker with low privileges can perform a privilege escalation with an init script due to a TOCTOU vulnerability.

Last Update
March 19, 2024, 9:19 a.m.
Weakness
Cleartext Transmission of Sensitive Information (CWE-319)
Summary

An unauthenticated remote attacker can extract a session token with a MitM attack and gain web-based management access with the privileges of the currently logged in user due to cleartext transmission of sensitive information. No additional user interaction is required. The access is limited as only non-sensitive information can be obtained but the availability can be seriously affected. 

Last Update
March 19, 2024, 9:21 a.m.
Weakness
Improper Input Validation (CWE-20)
Summary

A low privileged remote attacker can use a command injection vulnerability in the API which performs remote code execution as the user-app user due to improper input validation. The confidentiality is partly affected.

Impact

CVE-2024-28137: The exploit allows a local user to gain root privileges, which allows them to take over the device.

CVE-2024-28134: The exploit allows an attacker without local account to get access to the web-based
management with the privileges of the currently logged in user.

CVE-2024-28135: The exploit allows a user of the web-based management to perform remote code execution on the device as a user with low privileges.

CVE-2024-28133: The exploit allows a local user on the device to perform privilege escalation to gain root
privileges.

CVE-2024-28136: When the OCPP management port is opened, the exploit allows an attacker without local
account to gain root privileges and perform remote code execution.

Solution

Mitigation

Phoenix Contact recommends operating network-capable devices in closed networks or
protected with a suitable firewall. For detailed information on our recommendations for measures
to protect network-capable devices, please refer to our application note.


Measures to protect network-capable devices with Ethernet connection

Remediation

PHOENIX CONTACT strongly recommends upgrading affected charge controllers to firmware
version 1.6 or higher which fixes these vulnerabilities.

Reported by

CERT@VDE coordinated with PHOENIX CONTACT

These vulnerabilities were discovered by Trend Micro's Zero Day Initiative and SinSinology
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.