{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "cveMetadata": {
    "cveId": "CVE-2024-43661",
    "assignerOrgId": "00000000-0000-4000-9000-000000000000",
    "requesterUserId": "00000000-0000-4000-9000-000000000000",
    "serial": 1,
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "00000000-0000-4000-9000-000000000000"
      },
      "title": "Buffer overflow in <redacted>.so leads to DoS of OCPP service",
      "datePublic": "2025-01-09T00:00:00.000Z",
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "cweId": "CWE-121",
              "description": "CWE-121 Exploit Non-Production Interfaces",
              "type": "CWE"
            }
          ]
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-607",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-607 Obstruction"
            }
          ]
        }
      ],
      "affected": [
        {
          "vendor": "Iocharger",
          "product": "Iocharger firmware for AC models",
          "versions": [
            {
              "status": "affected",
              "version": "0",
              "lessThan": "24120701",
              "versionType": "custom"
            }
          ],
          "defaultStatus": "unaffected"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The <redacted>.so library, which is used by <redacted>, is\nvulnerable to a buffer overflow in the code that handles the deletion\nof certificates. This buffer overflow can be triggered by providing a\nlong file path to the <redacted> action of the <redacted>.exe CGI binary or\nto the <redacted>.sh CGI script. This binary or script will write this\nfile path to <redacted>, which is then\nread by <redacted>.so\n\n\nThis issue affects Iocharger firmware for AC models before version 24120701.\n\nLikelihood: Moderate – An attacker will have to find this exploit by\neither obtaining the binaries involved in this vulnerability, or by trial\nand error. Furthermore, the attacker will need a (low privilege)\naccount to gain access to the <redacted>.exe CGI binary or <redacted>.sh\nscript to trigger the vulnerability, or convince a user with such access\nsend an HTTP request that triggers it.\n\n\nImpact: High – The <redacted> process, which we assume is\nresponsible for OCPP communication, will keep crashing after\nperforming the exploit. This happens because the buffer overflow\ncauses the process to segfault before\n<redacted> is removed. This means that,\neven though <redacted> is automatically restarted, it will crash\nagain as soon as it tries to parse the text file.\n\nCVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). The attack leads to reducred availability of the device (VC:N/VI:N/VA:H). THere is not impact on subsequent systems. (SC:N/SI:N/SA:N). Alltough this device is an EV charger handing significant amounts of power, we do not forsee a safety impact. The attack can be automated (AU:Y). Because the DoS condition is written to disk persistantly, it cannot be recovered by the user (R:I).",
          "supportingMedia": [
            {
              "type": "text/html",
              "base64": false,
              "value": "The &lt;redacted&gt;.so library, which is used by &lt;redacted&gt;, is\nvulnerable to a buffer overflow in the code that handles the deletion\nof certificates. This buffer overflow can be triggered by providing a\nlong file path to the &lt;redacted&gt; action of the &lt;redacted&gt;.exe CGI binary or\nto the &lt;redacted&gt;.sh CGI script. This binary or script will write this\nfile path to &lt;redacted&gt;, which is then\nread by &lt;redacted&gt;.so\n<br><br>This issue affects Iocharger firmware for AC models before version 24120701.<br><br>Likelihood: Moderate – An attacker will have to find this exploit by\neither obtaining the binaries involved in this vulnerability, or by trial\nand error. Furthermore, the attacker will need a (low privilege)\naccount to gain access to the &lt;redacted&gt;.exe CGI binary or &lt;redacted&gt;.sh\nscript to trigger the vulnerability, or convince a user with such access\nsend an HTTP request that triggers it.\n<br><br>Impact: High – The &lt;redacted&gt; process, which we assume is\nresponsible for OCPP communication, will keep crashing after\nperforming the exploit. This happens because the buffer overflow\ncauses the process to segfault before\n&lt;redacted&gt; is removed. This means that,\neven though &lt;redacted&gt; is automatically restarted, it will crash\nagain as soon as it tries to parse the text file.<br><br>CVSS clarification. The attack can be executed over any network connection the station is listening to and serves the web interface (AV:N), and there are no additional security measure sin place that need to be circumvented (AC:L), the attack does not rely on preconditions (AT:N). The attack does require authentication, but the level of authentication is irrelevant (PR:L), it does not require user interaction (UI:N). The attack leads to reducred availability of the device (VC:N/VI:N/VA:H). THere is not impact on subsequent systems. (SC:N/SI:N/SA:N). Alltough this device is an EV charger handing significant amounts of power, we do not forsee a safety impact. The attack can be automated (AU:Y). Because the DoS condition is written to disk persistantly, it cannot be recovered by the user (R:I).<br>"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://csirt.divd.nl/DIVD-2024-00035/",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://csirt.divd.nl/CVE-2024-43661/",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://iocharger.com",
          "tags": [
            "product"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV4_0": {
            "version": "4.0",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "vulnAvailabilityImpact": "HIGH",
            "subAvailabilityImpact": "NONE",
            "Safety": "NOT_DEFINED",
            "Automatable": "YES",
            "Recovery": "IRRECOVERABLE",
            "valueDensity": "NOT_DEFINED",
            "vulnerabilityResponseEffort": "NOT_DEFINED",
            "providerUrgency": "NOT_DEFINED",
            "baseSeverity": "HIGH",
            "baseScore": 7.1,
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/AU:Y/R:I"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Wilco van Beijnum",
          "type": "finder"
        },
        {
          "lang": "en",
          "value": "Harm van den Brink (DIVD)",
          "type": "analyst"
        },
        {
          "lang": "en",
          "value": "Frank Breedijk (DIVD)",
          "type": "analyst"
        }
      ],
      "source": {
        "advisory": "DIVD-2024-00035",
        "discovery": "EXTERNAL"
      },
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  }
}