CVE-2024-43661
Published: 09 January 2025
Description
The <redacted>.so library, which is used by <redacted>, is vulnerable to a buffer overflow in the code that handles the deletion of certificates. This buffer overflow can be triggered by providing a long file path to the <redacted> action of the <redacted>.exe CGI binary or to the <redacted>.sh CGI script. This binary or script will write this file path to <redacted>, which is then read by <redacted>.so This issue affects Iocharger firmware for AC models before version 24120701. Likelihood: Moderate – An attacker will have to find this exploit by either obtaining the binaries involved in this vulnerability, or by trial and error. Furthermore, the attacker will need a (low privilege) account to gain access to the <redacted>.exe CGI binary or <redacted>.sh script to trigger the vulnerability, or convince a user with such access send an HTTP request that triggers it. Impact: High – The <redacted> process, which we assume is responsible for OCPP communication, will keep crashing after performing the exploit. This happens because the buffer overflow causes the process to segfault before <redacted> is removed. This means that, even though <redacted> is automatically restarted, it will crash again as soon as it tries to parse the text file. CVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). The attack leads to reducred availability of the device (VC:N/VI:N/VA:H). THere is not impact on subsequent systems. (SC:N/SI:N/SA:N). Alltough this device is an EV charger handing significant amounts of power, we do not forsee a safety impact. The attack can be automated (AU:Y). Because the DoS condition is written to disk persistantly, it cannot be recovered by the user (R:I).
Security Summary
CVE-2024-43661 is a stack-based buffer overflow vulnerability (CWE-121) in the <redacted>.so library, which is used by <redacted> within Iocharger firmware for AC models prior to version 24120701. The flaw resides in the code handling certificate deletion and is triggered by supplying a long file path to the <redacted> action via the <redacted>.exe CGI binary or the <redacted>.sh CGI script. These components write the malicious path to <redacted>, which is subsequently read by the vulnerable library, causing the overflow.
An attacker requires a low-privilege account to access the affected CGI binary or script, or must convince a legitimate user with such access to send a triggering HTTP request. Exploitation is feasible over any network connection where the device's web interface is exposed, with moderate likelihood due to the need for either obtaining the binaries or trial-and-error discovery. Successful exploitation causes the <redacted> process—assumed to handle OCPP communication—to segfault repeatedly upon attempting to parse the tainted file, even after automatic restarts, resulting in a high-impact, persistent denial-of-service condition written to disk. The vendor-assessed CVSS score is 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), though clarification notes low-privilege authentication (PR:L) and availability impact (VA:H).
Advisories from DIVD CSIRT, including https://csirt.divd.nl/CVE-2024-43661/ and https://csirt.divd.nl/DIVD-2024-00035/, along with the vendor site at https://iocharger.com, provide further details; mitigation involves updating to Iocharger firmware version 24120701 or later for affected AC models.
Details
- CWE(s)