CVE-2024-43661

{"id": "CVE-2024-43661", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "csirt@divd.nl", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "IRRECOVERABLE", "baseScore": 7.1, "automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:I/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "NONE", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2025-01-09T08:15:29.450", "references": [{"url": "https://csirt.divd.nl/CVE-2024-43661/", "source": "csirt@divd.nl"}, {"url": "https://csirt.divd.nl/DIVD-2024-00035/", "source": "csirt@divd.nl"}, {"url": "https://iocharger.com", "source": "csirt@divd.nl"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "csirt@divd.nl", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "The <redacted>.so library, which is used by <redacted>, is\nvulnerable to a buffer overflow in the code that handles the deletion\nof certificates. This buffer overflow can be triggered by providing a\nlong file path to the <redacted> action of the <redacted>.exe CGI binary or\nto the <redacted>.sh CGI script. This binary or script will write this\nfile path to <redacted>, which is then\nread by <redacted>.so\n\n\nThis issue affects Iocharger firmware for AC models before version 24120701.\n\nLikelihood: Moderate \u2013 An attacker will have to find this exploit by\neither obtaining the binaries involved in this vulnerability, or by trial\nand error. Furthermore, the attacker will need a (low privilege)\naccount to gain access to the <redacted>.exe CGI binary or <redacted>.sh\nscript to trigger the vulnerability, or convince a user with such access\nsend an HTTP request that triggers it.\n\n\nImpact: High \u2013 The <redacted> process, which we assume is\nresponsible for OCPP communication, will keep crashing after\nperforming the exploit. This happens because the buffer overflow\ncauses the process to segfault before\n<redacted> is removed. This means that,\neven though <redacted> is automatically restarted, it will crash\nagain as soon as it tries to parse the text file.\n\nCVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). The attack leads to reducred availability of the device (VC:N/VI:N/VA:H). THere is not impact on subsequent systems. (SC:N/SI:N/SA:N). Alltough this device is an EV charger handing significant amounts of power, we do not forsee a safety impact. The attack can be automated (AU:Y). Because the DoS condition is written to disk persistantly, it cannot be recovered by the user (R:I)."}, {"lang": "es", "value": "La librer\u00eda .so, que es utilizada por , es vulnerable a un desbordamiento de b\u00fafer en el c\u00f3digo que gestiona la eliminaci\u00f3n de certificados. Este desbordamiento de b\u00fafer se puede activar al proporcionar una ruta de archivo larga a la acci\u00f3n del binario CGI .exe o al script CGI .sh. Este binario o script escribir\u00e1 esta ruta de archivo en , que luego es le\u00eddo por .so. Este problema afecta al firmware de Iocharger para modelos AC anteriores a la versi\u00f3n 24120701. Probabilidad: Moderada: un atacante tendr\u00e1 que encontrar esta vulnerabilidad obteniendo los binarios involucrados en esta vulnerabilidad o por ensayo y error. Adem\u00e1s, el atacante necesitar\u00e1 una cuenta (con poco nivel de privilegios) para obtener acceso al binario CGI .exe o al script .sh para activar la vulnerabilidad, o convencer a un usuario con dicho acceso de que env\u00ede una solicitud HTTP que la active. Impacto: alto: el proceso , que suponemos que es responsable de la comunicaci\u00f3n OCPP, seguir\u00e1 fallando despu\u00e9s de ejecutar el exploit. Esto sucede porque el desbordamiento del b\u00fafer hace que el proceso se segmente antes de que se elimine . Esto significa que, aunque se reinicie autom\u00e1ticamente, se bloquear\u00e1 nuevamente tan pronto como intente analizar el archivo de texto. Aclaraci\u00f3n de CVSS. El ataque se puede ejecutar en cualquier conexi\u00f3n de red que la estaci\u00f3n est\u00e9 escuchando y sirva a la interfaz web (AV:N), y no hay ninguna medida de seguridad adicional en el lugar que deba eludirse (AC:L), el ataque no depende de condiciones previas (AT:N). El ataque requiere autenticaci\u00f3n, pero el nivel de autenticaci\u00f3n es irrelevante (PR:L), no requiere interacci\u00f3n del usuario (UI:N). El ataque conduce a una disponibilidad reducida del dispositivo (VC:N/VI:N/VA:H). No hay impacto en los sistemas posteriores. (SC:N/SI:N/SA:N). Aunque este dispositivo es un cargador de veh\u00edculos el\u00e9ctricos que gestiona cantidades significativas de energ\u00eda, no prevemos un impacto en la seguridad. El ataque puede automatizarse (AU:Y). Debido a que la condici\u00f3n de denegaci\u00f3n de servicio se escribe en el disco de forma persistente, el usuario no puede recuperarla (R:I)."}], "lastModified": "2025-01-09T15:15:17.937", "sourceIdentifier": "csirt@divd.nl"}