| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <884d9418-36d4-4f58-8f2f-5384a926d3c3@sec-consult.com>
Date: Mon, 26 May 2025 12:23:08 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20250521-0 :: Multiple Vulnerabilities in
eCharge Hardy Barth cPH2 and cPP2 charging stations
SEC Consult Vulnerability Lab Security Advisory < 20250521-0 >
=======================================================================
title: Multiple Vulnerabilities
product: eCharge Hardy Barth cPH2 and cPP2 charging stations
vulnerable version: 2.2.0
fixed version: Not available
CVE number: CVE-2025-27803, CVE-2025-27804, CVE-2025-48413,
CVE-2025-48414, CVE-2025-48415, CVE-2025-48416,
CVE-2025-48417
impact: critical
homepage: https://www.echarge.de/
found: 2023-11-13 (first findings)
by: Stefan Viehböck (Office Linz)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Parallel to the master school, the young entrepreneur founded the sideline
business "Elektrohandel Hardy Barth", which was already changed into a
full-time business with the name "EDV- und Elektrotechnik Hardy Barth"
three years later.
Today, we successfully manage our company with over 80 employees, which
currently specializes in 5 specialist areas on the market."
Source: https://www.echarge.de/
Business recommendation:
------------------------
The products are affected by serious vulnerabilities exploitable via both
physical access and unauthenticated network access, posing serious risks that
can result in system compromise, data breaches, and operational disruption in
EV charging infrastructures.
SEC Consult recommends charge point operators (CPOs) to take active measures
to minimize risk until all identified vulnerabilities have been fully
resolved and a comprehensive security review is conducted by independent
security professionals. These measures include physically securing all
charging stations, implementing video surveillance to deter and detect
unauthorized access, isolating and segmenting the devices from other critical
network infrastructure, enforcing strict firewalling rules, and disabling
remote access interfaces unless absolutely necessary. Where remote access is
required, strong authentication and VPNs should be used. Continuous
monitoring of logs and network activity is also strongly advised.
Note: SEC Consult did not analyze OCPP (Open Charge Point Protocol) as an
attack vector in the context of these vulnerabilities. CPOs should consider
this in their risk assessment and security architecture.
Despite being notified via a responsible disclosure, the vendor did not
provide any fixes over a period of 160 days. We decided to publish this
vulnerability now to enable mitigations against attacks.
Vulnerability overview/description:
-----------------------------------
1) Missing Authentication (CVE-2025-27803)
The device does not implement any authentication for the web interface or the
MQTT server. An attacker who has network access to the device immediately gets
administrative access to the device and can perform arbitrary administrative
actions and reconfigure the device or potentially gain access to sensitive data.
2) Multiple OS Command Injection Vulnerabilities (CVE-2025-27804)
Several OS command injection vulnerabilities exist in the device firmware
in the /var/salia/mqtt.php script. By publishing a specially crafted message to a
certain MQTT topic arbitrary OS commands can be executed with root permissions.
3) OS Backdoor User "root" (CVE-2025-48413)
The `/etc/passwd` and `/etc/shadow` files reveal hard-coded password
hashes for the "root" user. The credentials are shipped with the update
files. There is no option for deleting or changing their passwords for an enduser.
An attacker can use the credentials to log into the device. Authentication can
be performed via the SSH backdoor (see issue #6) or likely via physical access
(UART shell).
4) Backdoor Functionality via Web Interface (CVE-2025-48414)
There are several scripts in the web interface that are accessible via undocumented
hard-coded credentials. The scripts provide access to additional administrative/debug
functionality and are likely intended for debugging during development. The functionality
was not analyzed in detail, but of course it provides additional attack surface.
5) Backdoor Functionality via USB Drive (CVE-2025-48415)
A USB backdoor feature can be triggered by attaching a USB drive that contains
specially crafted "salia.ini" files. The .ini file can contain several "commands"
that could be exploited by an attacker to export or modify the device configuration,
enable an SSH backdoor (issue #6) or perform other administrative actions. Ultimately,
this backdoor also allows arbitrary execution of OS commands.
6) Backdoor Functionality via SSH (CVE-2025-48416)
An OpenSSH daemon listens on TCP port 22. There is a hard-coded entry in the
"/etc/shadow" file in the firmware image for the "root" user (see issue #3).
However, in the default SSH configuration the "PermitRootLogin" is disabled, preventing
the root user from logging in via SSH. This configuration can be bypassed/changed
by an attacker through multiple paths.
7) Hard-Coded Certificate and Private Key for HTTPS Web Interface (CVE-2025-48417)
The certificate and private key used for providing transport layer security for
connections to the web interface (TCP port 443) is hard-coded in the firmware and are
shipped with the update files. An attacker can use the private key to perform
man-in-the-middle attacks against users of the admin interface. The files are
located in /etc/ssl (e.g. salia.local.crt, salia.local.key and salia.local.pem)
There is no option to upload/configure custom TLS certificates.
Proof of concept:
-----------------
The proof of concepts have been removed as there are no fixes available.
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available
at the time of the test as well as the publication of this advisory:
* eCharge Hardy Barth cPH2 and cPP2 Firmware Version 2.2.0
Vendor contact timeline:
------------------------
2023-11 and 2023-12: First findings discovered and reported to mutual customer.
2024-11-26: Contacting vendor via multiple mailboxes and various other
personal vendor email addresses.
2024-11-27: Direct contact answers to submit our advisory, they are already
working on other identified security issues for release 2.3.0.
2024-12-02: Sending security advisory to vendor.
2024-12-16: Asking for a status update.
2024-12-16: Vendor is occupied with other internal tasks and does not
have time to take a look at our advisory before some time in
the first half of Q1/2025.
2025-01-29: Vendor informs us in a detailed response that their analysis is complete
and issues are being fixed and will be released in February 2025.
2025-04-01: Asking for a status update.
2025-04-02: Vendor informs us that new firmware will be released before the
end of April 2025.
2025-04-02: Replying that we will release the advisory mid-May, as the vendor has
still not provided the new firmware.
2025-05-05: Asking for a status update.
2025-05-05: Vendor informs us that they are still working on the release and will
inform us when the new firmware is available (no timeframe).
2025-05-21 Public release of security advisory.
Solution:
---------
The vendor has not provided a fix for any of the reported vulnerabilities.
Workaround:
-----------
None (secure devices through isolation)
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
X: https://x.com/sec_consult
EOF S. Viehböck / @2025
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4438 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists