CVE-2021-45876 – CVE-2021-45876 allows unauthenticated attackers... (How to Fix)

Q: What is the severity of CVE-2021-45876?

CVE-2021-45876 has a CVSS score of 9.8 (CRITICAL). CVE-2021-45876 allows unauthenticated attackers to execute arbitrary commands on GARO Wallbox charging stations by injecting malicious code into the firmware update process. This affects multiple GARO Wallbox models (GLB/GTB/GTC) with vulnerable firmware versions. Attackers can gain complete control of affected charging stations remotely.

📋 TL;DR

CVE-2021-45876 allows unauthenticated attackers to execute arbitrary commands on GARO Wallbox charging stations by injecting malicious code into the firmware update process. This affects multiple GARO Wallbox models (GLB/GTB/GTC) with vulnerable firmware versions. Attackers can gain complete control of affected charging stations remotely.

💻 Affected Systems

Products:

GARO Wallbox GLB
GARO Wallbox GTB
GARO Wallbox GTC

Versions: Multiple firmware versions prior to patched versions (specific versions not detailed in references)

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable as the command injection occurs in the firmware update mechanism.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of charging station allowing attackers to disable charging, manipulate energy data, pivot to internal networks, or cause physical damage through electrical manipulation.

🟠

Likely Case

Remote code execution leading to charging station disruption, data theft, or use as a foothold for further network attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and no internet exposure.

🌐 Internet-Facing: HIGH - Direct internet exposure allows remote exploitation without authentication.

🏢 Internal Only: HIGH - Even internally, unauthenticated exploitation is possible from any network segment with access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests to the vulnerable endpoint. Public advisories include technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact GARO for specific patched firmware versions

Vendor Advisory: Not provided in references - contact GARO directly

Restart Required: Yes

Instructions:

1. Contact GARO support for patched firmware. 2. Download official firmware from GARO. 3. Apply firmware update through management interface. 4. Reboot device after update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate charging stations in separate VLAN with strict firewall rules blocking all inbound traffic except necessary management.

Access Control

all

Implement network access control lists to restrict access to charging station management interfaces to authorized IPs only.

🧯 If You Can't Patch

Deploy network-based intrusion prevention systems (IPS) to detect and block exploitation attempts
Implement strict outbound firewall rules to prevent command and control communication from compromised devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version against GARO's patched versions list. Test by attempting to access the vulnerable endpoint with monitoring for command injection attempts.

Check Version:

Check through device web interface or consult GARO documentation for version query methods.

Verify Fix Applied:

Verify firmware version is updated to patched version from GARO. Test that command injection attempts no longer succeed.

📡 Detection & Monitoring

Log Indicators:

Unusual firmware update requests
HTTP requests to downloadAndUpdate endpoint with suspicious parameters
System command execution logs from web service

Network Indicators:

HTTP POST requests to firmware update endpoints with shell metacharacters in parameters
Unexpected outbound connections from charging stations

SIEM Query:

source="wallbox_logs" AND (url="*downloadAndUpdate*" AND (param="*;*" OR param="*|*" OR param="*`*"))

📊 Metadata

CVE ID: CVE-2021-45876

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: March 21, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/delikely/advisory/tree/main/GARO Third Party Advisory
https://github.com/delikely/advisory/tree/main/GARO Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45876, you might also want to check these: