Iocharger Buffer Overflow Vulnerability in CGI Binaries of AC Model Chargers

A buffer overflow vulnerability has been identified in multiple CGI binaries of Iocharger AC model chargers, affecting firmware versions prior to 24120701. This vulnerability is likely to be exploited, as the buffer overflows are common and the web server provides clear error messages. While such overflows typically result in a segmentation fault and a 502 Bad Gateway error, a skilled attacker could potentially leverage them for remote code execution, despite the presence of Address Space Layout Randomization (ASLR) on the charging station.

Impact

Exploitation of this vulnerability causes a segmentation fault in the CGI binary, leading to a 502 Bad Gateway error. However, this does not disrupt the web server or cause a denial-of-service condition. In a more advanced scenario, the buffer overflow could be manipulated for remote code execution.

Remediation

Iocharger has released a firmware update version 24120701 that addresses this vulnerability. For versions 25010801, an additional three vulnerabilities were fixed. The firmware is available through Iocharger distributors. If not contacted by a distributor, users can reach out to Iocharger directly via email for the update.