SteVe EV Charging Management System Stop Transaction Improper Access Control Vulnerability

A vulnerability in the SteVe EV charging station management system allows any authenticated charger to terminate active sessions on other chargers across the network. This issue is present in versions through 3.11.0. The vulnerability arises because the system's StopTransaction message handling does not verify that the requesting charger is the same one that initiated the transaction. Instead, it relies solely on the transaction ID, which is a sequential integer. As a result, an attacker with control over a registered charger can exploit this flaw by sending StopTransaction messages that target active sessions on all other chargers simultaneously. This vulnerability can be exploited without authentication by leveraging unauthenticated SOAP endpoints, according to the advisory.

Impact

Exploitation of this vulnerability allows for unauthorized termination of active charging sessions on other chargers, disrupting service and potentially causing issues with transaction management and reporting.

Reproduction

To reproduce this vulnerability, an authenticated charger can send StopTransaction messages targeting the transaction IDs of active sessions on other chargers. This can be done by enumerating the transaction IDs and sending the StopTransaction messages in a single command, effectively terminating all active sessions on the network. If the unauthenticated SOAP endpoints are available, this attack can be executed without a registered charger, using just a known chargeBoxId.

Remediation

The vulnerability has been fixed in version 3.11.0. Users should update to this version. The fix involves modifying the transaction lookup to include a chargeBoxId ownership verification, ensuring that only the charger that initiated a transaction can stop it.