CVE-2024-25407
📋 TL;DR
SteVe v3.6.0 uses predictable transaction IDs when processing StartTransaction requests, allowing attackers to predict and terminate other users' charging sessions. This affects all systems running vulnerable SteVe versions that manage electric vehicle charging stations, potentially disrupting charging operations.
💻 Affected Systems
- SteVe (Steckdosenverwaltung - EV charging management software)
📦 What is this software?
Steve by Steve Community
⚠️ Risk & Real-World Impact
Worst Case
Attackers could systematically terminate all active charging sessions, causing widespread service disruption and preventing legitimate users from charging their vehicles.
Likely Case
Targeted DoS attacks against specific charging sessions, causing inconvenience to users and potential revenue loss for operators.
If Mitigated
Limited impact with proper network segmentation and monitoring, though some disruption may still occur.
🎯 Exploit Status
The vulnerability is straightforward to exploit once an attacker understands the predictable ID pattern. No authentication is required to send StartTransaction requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.6.1 or later
Vendor Advisory: https://github.com/steve-community/steve/issues/1296
Restart Required: Yes
Instructions:
1. Backup your current SteVe installation and database. 2. Download the latest version from the official repository. 3. Replace the vulnerable files with the patched version. 4. Restart the SteVe service. 5. Verify the fix by checking transaction ID randomness.
🔧 Temporary Workarounds
Network Isolation
linuxRestrict access to SteVe management interface to trusted networks only
iptables -A INPUT -p tcp --dport [steve_port] -s [trusted_network] -j ACCEPT
iptables -A INPUT -p tcp --dport [steve_port] -j DROP
Rate Limiting
allImplement rate limiting on StartTransaction requests to prevent mass exploitation
# Configure in web server (nginx example): limit_req_zone $binary_remote_addr zone=steve:10m rate=10r/s;
# Then apply to location block: limit_req zone=steve burst=20 nodelay;
🧯 If You Can't Patch
- Implement strict network access controls to limit SteVe exposure to only necessary internal systems
- Deploy monitoring to detect unusual patterns of transaction termination requests
🔍 How to Verify
Check if Vulnerable:
Check if your SteVe version is 3.6.0 or examine transaction ID patterns for predictabilityCheck Version:
Check the SteVe web interface admin panel or examine version files in the installation directoryVerify Fix Applied:
After patching, verify that transaction IDs are now properly randomized and unpredictable📡 Detection & Monitoring
Log Indicators:
- Multiple StartTransaction requests from single source
- Unexpected transaction termination events
- Pattern of sequential transaction IDs
Network Indicators:
- Unusual volume of OCPP StartTransaction messages
- Requests to terminate transactions with predicted IDs
SIEM Query:
source="steve.log" AND ("StartTransaction" OR "RemoteStopTransaction") | stats count by src_ip