码迷,mamicode.com
首页 > 其他好文 > 详细

Critical Bug Patched in Schneider Electric Vehicle Charging Station

时间:2018-12-27 13:15:08      阅读:142      评论:0      收藏:0      [点我收藏+]

标签:form   disco   unit   range   bin   service   content   ike   target   

Vulnerability in electric car charging stations could allow attackers to compromise devices.

Schneider Electric is warning about a critical vulnerability in its EVLink Parking devices – a line of electric vehicle charging stations. The energy management and automation giant said the vulnerability is tied to a hard-coded credential bug that exists within the device that could enable attackers to gain access to the system.

Affected are EVLink Parking floor-standing units (v3.2.0-12_v1 and earlier). The vulnerability (CVE-2018-7800) is one of three fixes issued by Schneider last week (PDF) impacting the electric charging stations. The company also issued warnings and fixes for a code injection vulnerability (CVE-2018-7801) and SQL injection bug (CVE-2018-7802).

The code injection bug is rated high (CVSS 8.8) and “could enable access with maximum privileges when a remote code execution is performed,” according to the security bulletin. The SQL Injection vulnerability “could give access to the web interface with full privileges,” the company said of the bug rated medium (CVSS 6.4).

EVLink Parking stations are typically found at offices, hotels, supermarkets and fleet hubs. The patch can be applied, but the company also offers a number of ways to mitigate risk such as “set up a firewall to block remote/external access except by authorized users.”

It’s unclear what type of additional access an attacker might gain via a compromised EVLink Parking device. The device itself is part of a full EVLink Parking networked solution that includes the charging station, EVLink insights (online portal) and vehicle maintenance and support services. These systems then link to a central system via the cloud for remote management.

A report issued earlier this month by Kaspersky Lab outlined a number of potential vulnerabilities effecting a wide range of electronic vehicle charging stations. Researchers looked into one of the stations, dubbed the ChargePoint Home offering, and found a raft of vulnerabilities (PDF) that could give an attacker unfettered access to the device.

“All an attacker needs to do to conduct an attack is obtain Wi-Fi access to the network the charger is connected to,” Kaspersky Lab researchers said. “Since the devices are made for domestic use, security for the wireless network is likely to be limited. This means that attackers could gain access easily, for example by bruteforcing all possible password options, which is quite common.”

Researchers noted that EV communication protocols are vulnerable to attack as is EV payment systems and the security of backend communications.

Credited for discovering the Schneider bugs is Vladimir Kononovich and Vyacheslav Moskvin, researchers with Positive Technologies.

Critical Bug Patched in Schneider Electric Vehicle Charging Station

标签:form   disco   unit   range   bin   service   content   ike   target   

原文地址:https://www.cnblogs.com/luxiaoyi/p/10184086.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!