CVE-2024-43663
Published: 09 January 2025
Description
There are many buffer overflow vulnerabilities present in several CGI binaries of the charging station.This issue affects Iocharger firmware for AC model chargers beforeversion 24120701. Likelihood: High – Given the prevalence of these buffer overflows, and the clear error message of the web server, an attacker is very likely to be able to find these vulnerabilities. Impact: Low – Usually, overflowing one of these buffers just causes a segmentation fault of the CGI binary, which causes the web server to return a 502 Bad Gateway error. However the webserver itself is not affected, and no DoS can be achieved. Abusing these buffer overflows in a meaningful way requires highly technical knowledge, especially since ASLR also seems to be enabled on the charging station. However, a skilled attacker might be able to use one of these buffer overflows to obtain remote code execution. CVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). The attack has a small impact on the availability of the device (VC:N/VI:N/VA:L). There is no impact on subsequent systems. (SC:N/SI:N/SA:N). While this device is an EV charger handing significant amounts of power, we do not expect this vulnerability to have a safety impact. The attack can be automated (AU:Y).
Security Summary
CVE-2024-43663 is a set of buffer overflow vulnerabilities (CWE-121) present in several CGI binaries within the Iocharger firmware for AC model electric vehicle chargers. These issues affect devices running firmware versions prior to 24120701. Published on 2025-01-09, the vulnerability stems from inadequate bounds checking in the CGI components, leading to potential memory corruption when processing malformed inputs.
The vulnerability can be exploited remotely over any network connection where the charging station's web interface is accessible (AV:N/AC:L/AT:N). While the provided CVSS clarification notes that authentication is required (PR:L) and typically results in a segmentation fault of the CGI binary—yielding a 502 Bad Gateway error with no denial-of-service on the web server—the formal CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates potential for high confidentiality, integrity, and availability impacts, including remote code execution. Exploitation likelihood is rated high due to the prevalence of overflows and clear web server error messages, though achieving meaningful code execution demands advanced skills given enabled ASLR. No user interaction is needed (UI:N), and attacks can be automated (AU:Y), but there is no expected safety impact despite the device's control over high-power charging.
Advisories from DIVD CSIRT (https://csirt.divd.nl/CVE-2024-43663/ and https://csirt.divd.nl/DIVD-2024-00035/) detail the issues, with the vendor site (https://iocharger.com) as a reference. Mitigation involves updating to Iocharger firmware version 24120701 or later to address the vulnerable CGI binaries.
Details
- CWE(s)