Iocharger Buffer Overflow Vulnerability in OCPP Service CGI Scripts

A buffer overflow vulnerability has been identified in the Iocharger .so library used by Iocharger AC models prior to version 24120701. The vulnerability arises in the certificate deletion process, where a long file path can be provided to the .exe CGI binary or the .sh CGI script. This path is then written to a file that the vulnerable library reads, leading to a buffer overflow. Exploitation of this vulnerability causes the OCPP communication process to crash repeatedly, creating a denial-of-service condition that cannot be recovered by the user.

Impact

Exploitation of this vulnerability causes the OCPP process to crash, leading to a persistent denial-of-service condition on the affected device.

Reproduction

The vulnerability can be reproduced by sending an HTTP request that includes a long file path to the Iocharger .exe CGI binary or the .sh CGI script. This can be done by an authenticated user with access to these scripts.

Remediation

Iocharger has released a firmware update version 24120701 that addresses this vulnerability. Users should contact their Iocharger distributor or reach out to Iocharger directly at sales@iocharger.com to obtain the updated firmware.