CVE-2023-29118
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on the Waybox Enel X web management application's internal database via the /admin/versions.php endpoint. This affects all organizations using vulnerable versions of the Waybox Enel X web management application for electric vehicle charging infrastructure management.
💻 Affected Systems
- Waybox Enel X web management application
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the database leading to data theft, manipulation of charging infrastructure controls, and potential lateral movement to other systems.
Likely Case
Extraction of sensitive data including user credentials, payment information, and operational data from the charging management system.
If Mitigated
Limited impact if proper network segmentation and database access controls are implemented, though SQL injection would still be possible.
🎯 Exploit Status
SQL injection vulnerabilities are well-understood and easily weaponized. The unauthenticated nature makes exploitation trivial for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version specified in Waybox-3-Security-Bulletin-06-2024-V1.pdf
Vendor Advisory: https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf
Restart Required: Yes
Instructions:
1. Download the security update from Enel X support portal. 2. Apply the patch following vendor instructions. 3. Restart the Waybox application service. 4. Verify the /admin/versions.php endpoint no longer accepts arbitrary SQL commands.
🔧 Temporary Workarounds
Block vulnerable endpoint
allTemporarily block access to the /admin/versions.php endpoint using web server configuration or firewall rules.
# Apache: RewriteRule ^/admin/versions\.php$ - [F]
# Nginx: location ~ ^/admin/versions\.php$ { deny all; }
# Firewall: iptables -A INPUT -p tcp --dport 80 -m string --string "/admin/versions.php" --algo bm -j DROP
Implement WAF rules
allDeploy web application firewall rules to detect and block SQL injection attempts.
# ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQL Injection Attempt'"
🧯 If You Can't Patch
- Isolate the Waybox management interface to a dedicated VLAN with strict access controls.
- Implement database-level protections including prepared statements and input validation in the application code.
🔍 How to Verify
Check if Vulnerable:
Test if the /admin/versions.php endpoint accepts SQL injection payloads. Example: curl -X POST 'http://[target]/admin/versions.php' --data 'parameter=1' OR '1'='1'Check Version:
Check the application version via the web interface or consult the vendor documentation for version identification.Verify Fix Applied:
Attempt the same SQL injection test after patching - it should return an error or no database response.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by SQL injection patterns
- Access to /admin/versions.php with suspicious parameters
Network Indicators:
- HTTP POST requests to /admin/versions.php containing SQL keywords (SELECT, UNION, INSERT, etc.)
- Unusual database connection patterns from the web server
SIEM Query:
source="web_logs" AND uri="/admin/versions.php" AND (request_body CONTAINS "UNION" OR request_body CONTAINS "SELECT" OR request_body CONTAINS "INSERT")