CVE-2024-43649 Information

Description

Authenticated command injection in the filename of a .exe request leads to remote code execution as the root user.

This issue affects Iocharger firmware for AC models before version 24120701.

Likelihood: Moderate – This action is not a common place for command injection vulnerabilities to occur. Thus an attacker will likely only be able to find this vulnerability by reverse-engineering the firmware or trying it on all fields. The attacker will also need a (low privilege) account to gain access to the binary or convince a user with such access to execute a payload.

Impact: Critical – The attacker has full control over the charging station as the root user and can arbitrarily add modify and delete files and services.

CVSS clarification: This attack can be performed over any network conenction serving the web interfacr (AV:N) and there are not additional mitigating measures that need to be circumvented (AC:L) or other prerequisites (AT:N). The attack does require privileges but the level does not matter (PR:L) there is no user interaction required (UI:N). The attack leeds to a full compromised of the charger (VC:H/VI:H/VA:H) and a compromised charger can be used to \pivot\ to networks that should normally not be reachable (SC:L/SI:L/SA:H). Because this is an EV chargers with significant pwoer there is a potential safety imp0act (S:P). THis attack can be automated (AU:Y).

Reference

https://csirt.divd.nl/CVE-2024-43649/ https://csirt.divd.nl/DIVD-2024-00035/ https://iocharger.com