CVE-2024-28136
📋 TL;DR
A local attacker with low privileges can exploit a command injection vulnerability in the OCPP Remote service to execute arbitrary commands and gain root privileges due to improper input validation. This affects systems running vulnerable versions of the OCPP Remote service. Attackers need local access to the system to exploit this vulnerability.
💻 Affected Systems
- OCPP Remote service
📦 What is this software?
Charx Sec 3000 Firmware by Phoenixcontact
Charx Sec 3050 Firmware by Phoenixcontact
Charx Sec 3100 Firmware by Phoenixcontact
Charx Sec 3150 Firmware by Phoenixcontact
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges, allowing complete system compromise, data theft, persistence establishment, and lateral movement.
Likely Case
Local user or compromised low-privilege account escalates to root, enabling installation of malware, credential harvesting, and further system exploitation.
If Mitigated
With proper network segmentation and least privilege, impact limited to isolated system; attacker gains root but cannot pivot to other systems.
🎯 Exploit Status
Exploitation requires local access but is straightforward once access is obtained. No authentication bypass needed beyond initial local access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2024-019
Restart Required: Yes
Instructions:
1. Review vendor advisory at provided URL. 2. Identify affected version. 3. Apply vendor-provided patch or update to fixed version. 4. Restart OCPP Remote service. 5. Verify patch application.
🔧 Temporary Workarounds
Disable OCPP Remote Service
linuxTemporarily disable the vulnerable service if not required for operations
sudo systemctl stop ocpp-remote
sudo systemctl disable ocpp-remote
Restrict Service Privileges
linuxRun OCPP Remote service with reduced privileges if possible
Edit service configuration to run as non-root user
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems
- Apply principle of least privilege to all user accounts and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check OCPP Remote service version against vendor advisory; examine if service runs with elevated privileges and accepts user input.Check Version:
Check service documentation or configuration files for version information; consult vendor-specific commands.Verify Fix Applied:
Verify OCPP Remote service version matches patched version from vendor; test that command injection attempts are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution from OCPP Remote service
- Privilege escalation attempts in system logs
- Suspicious process spawning with root privileges
Network Indicators:
- Not applicable - local exploitation only
SIEM Query:
Process creation where parent process is OCPP Remote service and command contains suspicious characters or shell metacharacters