SB2024062534 - Multiple vulnerabilities in Phoenix Contact CHARX SEC charge controllers
Published: June 25, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 vulnerabilities.
1) Arbitrary file upload (CVE-ID: CVE-2024-25994)
CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload within the CharxUpdateAgent service. A remote attacker can upload a malicious file and execute it on the server.
2) Improper Output Neutralization for Logs (CVE-ID: CVE-2024-25997)
CWE-ID: CWE-117 - Improper Output Neutralization for Logs
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficient neutralization of special characters when writing to logs. A remote attacker on the local network can inject malicious content into log files on affected installations.
3) Missing Authentication for Critical Function (CVE-ID: CVE-2024-25995)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to missing authentication for critical function within the CharxSystemConfigManager service. A remote attacker on the local network can execute arbitrary code on the target system.
4) Origin validation error (CVE-ID: CVE-2024-25996)
CWE-ID: CWE-346 - Origin Validation Error
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to missing origin validation within the configuration of firewall rules. A remote attacker on the local network can bypass firewall rules and access another interface on affected installations.
5) Inadequate Encryption Strength (CVE-ID: CVE-2024-26288)
CWE-ID: CWE-326 - Inadequate Encryption Strength
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to inadequate encryption strength within the implementation of the OCPP protocol. A remote attacker on the local network can bypass authentication and execute arbitrary code on the target system.
6) Type Confusion (CVE-ID: CVE-2024-26000)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a type confusion error within the handling of JSON-encoded arrays. A remote attacker on the local network can pass specially crafted data to the application, trigger a type confusion error and gain unauthorized access to sensitive information on the system.
7) Out-of-bounds read (CVE-ID: CVE-2024-26003)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the parsing of the HomePlug Green PHY Protocol. A remote attacker in the local network can trigger an out-of-bounds read error and read contents of memory on the system.
8) Use-after-free (CVE-ID: CVE-2024-26005)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the handling of ClientSession objects in the CharxControllerAgent service. A remote attacker on the local network can execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
9) Buffer overflow (CVE-ID: CVE-2024-26001)
CWE-ID: CWE-119 - Memory corruption
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the handling of JSON-encoded arrays. A remote attacker on the local network can trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
10) Improper Privilege Management (CVE-ID: CVE-2024-26002)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management within the plctool binary. A local user can escalate privileges.
11) Command Injection (CVE-ID: CVE-2024-25998)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to improper input validation within the handling of the location parameter of the UpdateFirmwareRequest command. A remote attacker on the local network can pass specially crafted data to the application and execute arbitrary commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Input validation error (CVE-ID: CVE-2024-25999)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input within the charx_pack_logs script. A local user can pass specially crafted input to the application and execute arbitrary code in the context of root.
13) NULL pointer dereference (CVE-ID: CVE-2024-26004)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the handling of CANopenDevice objects. A remote attacker on the local network can pass specially crafted data to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://cert.vde.com/en/advisories/VDE-2024-011
- https://www.zerodayinitiative.com/advisories/ZDI-24-867/
- https://www.zerodayinitiative.com/advisories/ZDI-24-855/
- https://www.zerodayinitiative.com/advisories/ZDI-24-856/
- https://www.zerodayinitiative.com/advisories/ZDI-24-857/
- https://www.zerodayinitiative.com/advisories/ZDI-24-858/
- https://www.zerodayinitiative.com/advisories/ZDI-24-859/
- https://www.zerodayinitiative.com/advisories/ZDI-24-860/
- https://www.zerodayinitiative.com/advisories/ZDI-24-861/
- https://www.zerodayinitiative.com/advisories/ZDI-24-862/
- https://www.zerodayinitiative.com/advisories/ZDI-24-863/
- https://www.zerodayinitiative.com/advisories/ZDI-24-864/
- https://www.zerodayinitiative.com/advisories/ZDI-24-865/
- https://www.zerodayinitiative.com/advisories/ZDI-24-866/