| Article No° | Product Name | Affected Version(s) |
|---|---|---|
| 1139022 | CHARX SEC-3000 | <= 1.5.1 |
| 1139018 | CHARX SEC-3050 | <= 1.5.1 |
| 1139012 | CHARX SEC-3100 | <= 1.5.1 |
| 1138965 | CHARX SEC-3150 | <= 1.5.1 |
Multiple vulnerabilities have been discovered in the Firmware of CHARX SEC charge controllers.
Update: credis have been updated
A local attacker with low privileges can perform a privilege escalation with an init script due to a TOCTOU vulnerability.
A local attacker with low privileges can use a command injection vulnerability to gain root privileges due to improper input validation using the OCPP Remote service.
A local low privileged attacker can use an untrusted search path in a CHARX system utility to gain root privileges.
An unauthenticated remote attacker can extract a session token with a MitM attack and gain web-based management access with the privileges of the currently logged in user due to cleartext transmission of sensitive information. No additional user interaction is required. The access is limited as only non-sensitive information can be obtained but the availability can be seriously affected.
A low privileged remote attacker can use a command injection vulnerability in the API which performs remote code execution as the user-app user due to improper input validation. The confidentiality is partly affected.
CVE-2024-28137: The exploit allows a local user to gain root privileges, which allows them to take over the device.
CVE-2024-28134: The exploit allows an attacker without local account to get access to the web-based
management with the privileges of the currently logged in user.
CVE-2024-28135: The exploit allows a user of the web-based management to perform remote code execution on the device as a user with low privileges.
CVE-2024-28133: The exploit allows a local user on the device to perform privilege escalation to gain root
privileges.
CVE-2024-28136: When the OCPP management port is opened, the exploit allows an attacker without local
account to gain root privileges and perform remote code execution.
Mitigation
Phoenix Contact recommends operating network-capable devices in closed networks or
protected with a suitable firewall. For detailed information on our recommendations for measures
to protect network-capable devices, please refer to our application note.
Measures to protect network-capable devices with Ethernet connection
Remediation
PHOENIX CONTACT strongly recommends upgrading affected charge controllers to firmware
version 1.6 or higher which fixes these vulnerabilities.
CERT@VDE coordinated with PHOENIX CONTACT
These vulnerabilities were discovered by Trend Micro's Zero Day Initiative and SinSinology
We kindly appreciate the coordinated disclosure of this vulnerability by the finder.
For CVE-2024-28133, CVE-2024-28134, CVE-2024-28135 Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative.
For CVE-2024-28136 @ByteInsight working with Trend Micro Zero Day Initiative.
For CVE-2024-28137 Todd Manning working with Trend Micro Zero Day Initiative.