SB2024062534 - Multiple vulnerabilities in Phoenix Contact CHARX SEC charge controllers
Published: June 25, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 secuirty vulnerabilities.
1) Arbitrary file upload (CVE-ID: CVE-2024-25994)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload within the CharxUpdateAgent service. A remote attacker can upload a malicious file and execute it on the server.
2) Improper Output Neutralization for Logs (CVE-ID: CVE-2024-25997)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient neutralization of special characters when writing to logs. A remote attacker on the local network can inject malicious content into log files on affected installations.
3) Missing Authentication for Critical Function (CVE-ID: CVE-2024-25995)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to missing authentication for critical function within the CharxSystemConfigManager service. A remote attacker on the local network can execute arbitrary code on the target system.
4) Origin validation error (CVE-ID: CVE-2024-25996)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to missing origin validation within the configuration of firewall rules. A remote attacker on the local network can bypass firewall rules and access another interface on affected installations.
5) Inadequate Encryption Strength (CVE-ID: CVE-2024-26288)
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to inadequate encryption strength within the implementation of the OCPP protocol. A remote attacker on the local network can bypass authentication and execute arbitrary code on the target system.
6) Type Confusion (CVE-ID: CVE-2024-26000)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a type confusion error within the handling of JSON-encoded arrays. A remote attacker on the local network can pass specially crafted data to the application, trigger a type confusion error and gain unauthorized access to sensitive information on the system.
7) Out-of-bounds read (CVE-ID: CVE-2024-26003)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the parsing of the HomePlug Green PHY Protocol. A remote attacker in the local network can trigger an out-of-bounds read error and read contents of memory on the system.
8) Use-after-free (CVE-ID: CVE-2024-26005)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the handling of ClientSession objects in the CharxControllerAgent service. A remote attacker on the local network can execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
9) Buffer overflow (CVE-ID: CVE-2024-26001)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the handling of JSON-encoded arrays. A remote attacker on the local network can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Improper Privilege Management (CVE-ID: CVE-2024-26002)
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management within the plctool binary. A local user can escalate privileges.
11) Command Injection (CVE-ID: CVE-2024-25998)
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to improper input validation within the handling of the location parameter of the UpdateFirmwareRequest command. A remote attacker on the local network can pass specially crafted data to the application and execute arbitrary commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Input validation error (CVE-ID: CVE-2024-25999)
The vulnerability allows a local user to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input within the charx_pack_logs script. A local user can pass specially crafted input to the application and execute arbitrary code in the context of root.
13) NULL pointer dereference (CVE-ID: CVE-2024-26004)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the handling of CANopenDevice objects. A remote attacker on the local network can pass specially crafted data to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://cert.vde.com/en/advisories/VDE-2024-011
- https://www.zerodayinitiative.com/advisories/ZDI-24-867/
- https://www.zerodayinitiative.com/advisories/ZDI-24-855/
- https://www.zerodayinitiative.com/advisories/ZDI-24-856/
- https://www.zerodayinitiative.com/advisories/ZDI-24-857/
- https://www.zerodayinitiative.com/advisories/ZDI-24-858/
- https://www.zerodayinitiative.com/advisories/ZDI-24-859/
- https://www.zerodayinitiative.com/advisories/ZDI-24-860/
- https://www.zerodayinitiative.com/advisories/ZDI-24-861/
- https://www.zerodayinitiative.com/advisories/ZDI-24-862/
- https://www.zerodayinitiative.com/advisories/ZDI-24-863/
- https://www.zerodayinitiative.com/advisories/ZDI-24-864/
- https://www.zerodayinitiative.com/advisories/ZDI-24-865/
- https://www.zerodayinitiative.com/advisories/ZDI-24-866/