Critical vulnerabilities in Phoenix Contact CHARX SEC-3100 have been found, giving attackers the ability to run arbitrary code and disclose confidential information on devices with compromised installations.
Notably, these vulnerabilities were discovered as part of a PWN2OWN competition initiated by Trend Micro Zero Day Initiative (ZDI).
Even though an EV charger has non-standard protocols and physical interfaces that make it seem like a “exotic” target at first, once those are figured out, everything eventually comes down to a binary that consumes untrusted input (like from the network), and all the well-known principles of memory corruption apply.
CHARX Remote Attack Surface
A 32-bit ARM-based embedded version of Linux is used by CHARX. By default, SSH is enabled, and the default password for the unprivileged user user-app is user.
The two ethernet ports, designated ETH0 and ETH1, were the physical ports. While ETH1 is meant to connect to the ETH0 port of an additional CHARX, ETH0 is meant to give a connection to the “outside world,” most likely a bigger network and/or the Internet. CHARX devices can be daisy-chained together in this way so they may communicate.
According to the Ret2 Systems blog, the Controller Agent facilitates communication between the AC controller and other daisy-chained CHARX devices.
It can be connected using the HomePlug Green PHY protocol, TCP, and UDP.
A set of protocols called HomePlug are used for powerline communications (PLC). Specifically, data transmission using electrical wiring. In this case, the relevant protocol is the HomePlug Green PHY protocol.
Understanding The Significant Vulnerabilities
CVE-2024-26003 – HomePlug Protocol Out-Of-Bounds Read Information Disclosure Vulnerability
First vulnerability is tracked as , which has a CVSS base score of 4.3, enables attackers adjacent to the network to reveal sensitive information on Phoenix Contact CHARX SEC-3100 device installations that are impacted.
The specific issue is found within the parsing of the HomePlug Green PHY Protocol. The problem stems from improper validation of data supplied by the user, which may cause a read beyond the allocated buffer’s end.
When combined with additional vulnerabilities, this gives an attacker the ability to run any code on the device.
For an exploit, researchers took advantage of the fact that a size 0 std::vector will have a null pointer for its backing store, and that trying to read from this vector inside the loop results in a null dereference.
CVE-2024-26005 – ClientSession Use-After-Free Remote Code Execution Vulnerability
This vulnerability, which has a CVSS base score of 8.8, enables attackers to run arbitrary code on Phoenix Contact CHARX SEC-3100 device installations that are impacted by the network.
The CharxControllerAgent service’s handling of ClientSession objects contains a specific vulnerability. The problem arises when operations on an object are carried out without first verifying its existence.
This vulnerability allows an attacker to run code within the CharxControllerAgent service.
In this instance, researchers say the exit handlers were the “organic” cause of the issue.
Phoenix Contact has released an update to address these vulnerabilities. While some of the vulnerabilities carry a medium risk by themselves, chaining or combining them can result in an RCE that compromises the device entirely.
Updating to the most recent version, which addresses these vulnerabilities, is highly advised.