Multiple vulnerabilities in Enel X JuiceBox (Waybox) Pro & Plus 3.0 charger

Read time:00:10:00

Release date:5.18.2024

PRODUCT DESCRIPTION

Enel X JuiceBox (Waybox) Pro and Plus 3.0 22 KW Cellular is an electric vehicle charger intended for use in both private and residential environments.

EV Charger appearance

The charger includes a web manager interface accessible through either Wi-Fi or a wired Ethernet. An Ethernet port is located under the charger’s front panel.

JuiceBox Web Manager application

The default password for user-level access to the JuiceBox web manager is provided in the installation manual document published on the official Enel X Way web site.

Additionally, the charger is equipped with LTE modem for communication with the vendor’s backend featuring RFID authentication. Finally, it supports user identification by RFID cards, thus restricting access to the charging function.

SUMMARY

PCAutomotive identified multiple vulnerabilities that could allow a potential attacker to obtain the highest privileges in the Enel X JuiceBox (Waybox) Pro and Plus 3.0 charger operating system. In this level of access, an attacker could gain access to sensitive data stored on the charger, bypass charging restrictions set by the device owner, cause a denial of service on the charger, modify the firmware.The vulnerabilities are applicable to charger firmware version before 2.1.1.0_JB3VU096A.

CVE IDTitleCVSS Score
CVE-2023-29114System logs disclosure5.7 (Medium)
CVE-2023-29115Denial of service via web management interface6.5 (High)
CVE-2023-29116PHP information disclosure4.3 (Medium)
CVE-2023-29117Authentication bypass in JuiceBox Web Manager8.8 (Critical)
CVE-2023-29118Unauthorized SQLite injection #19.6 (Critical)
CVE-2023-29119Unauthorized SQLite injection #29.6 (Critical)
CVE-2023-29120Unauthorized remote command execution9.6 (Critical)
CVE-2023-29121Exposed TCF agent service9.6 (Critical)
CVE-2023-29122Incorrect file ownership of privileged service’s libraries6.7 (Medium)
CVE-2023-29125Heap overflow in CM_main.exe binary9.0 (Critical)
CVE-2023-29126Insecure loose comparison4.2 (Medium)

DISCLOSURE TIMELINE

DateDescription
2023-03-16Advisory sent to cert@enel.com
2023-04-01Enel X informs PCAutomotive that the analyzed firmware JB3VUEV02c is outdated. Enel X performs firmware update of the charger to version 1.1.3.5_JB3VU093
2023-04PCAutomotive performs verification of findings on version 1.1.3.5_JB3VU093
2023-04-28PCAutomotive reports retest results to Enel X. PCAutomotive informs Enel X that vulnerabilities present in 1.1.3.5_JB3VU093.
2023-12According to Enel X indications, the fixes have been released starting from version 2.1.1.0_JB3VU096A on new installations
2024-06-17Enel X releases security advisory charger owners

TECHNICAL DETAILS

CVE-2023-29114: System logs disclosure

Description

An attacker with regular user privileges in the web management application can obtain system logs due to a lack of access control. These logs expose sensitive information that can be used for further attack development.

Exploitation scenario and impact

JuiceBox web management panel is accessible on port 80 after connection to the EV charger via Wi-Fi network. Regular users of this web application can retrieve system logs containing sensitive information, such as plaintext credentials and configuration properties.

To trigger the vulnerability, it is required to send an HTTP GET request to the path /admin/log.php with empty parameter download:

An example of retrieving sensitive information from log.php

An attacker can obtain the following sensitive information:

  • Wi-Fi access point credentials to which the EV charger can connect.
  • APN web address and credentials.
  • IPSEC credentials.
  • Web interface access credentials for user and admin accounts.
  • JuiceBox system components (software installed, model, firmware version, etc.).
  • C2G configuration details.
  • Internal IP addresses.
  • OTA firmware update configurations (DNS servers).

All the credentials are stored in logs in an unencrypted plaintext format. Unauthorized access to these data could be exploited by an intruder to gain privileged entry to the control panel and other endpoints, facilitating the development of subsequent attacks.

CVE-2023-29115: Denial of service via web management interface

Description

Juicebox Enel X is vulnerable to denial-of-service through the web management interface. This type of attack allows unauthorized attackers with network visibility of the charger to cause denial-of-service (reboot) via a direct GET request without any access control restrictions.

Exploitation scenario and impact

The following request GET /admin/reboot.php carries out a reboot action of the Juicebox device:

Example of forcing a device reboot

It takes two to three minutes for the system to become available after each reboot cycle.

CVE-2023-29116: PHP information disclosure

Description

The phpinfo.php script in the JuiceBox web manager application allows remote attackers to obtain sensitive information such as the full web root path, OS version, and server configuration details by calling the phpinfo() function.

Exploitation scenario and impact

Exploitation is possible by HTTP GET request to the admin/phpinfo.php scenario_,_ which is available for a remote attacker without any authentication.

Result of calling the phpinfo() function

An attacker can obtain sensitive information such as:

  • The exact PHP version.
  • Exact OS and its version.
  • Details of the PHP configuration.
  • PHP compilation options.
  • PHP extensions.
  • Internal IP addresses.
  • Server environment variables.
  • Loaded PHP extensions and their configurations.
  • HTTP headers.

This information helps a would-be malefactor to further develop the attack.

CVE-2023-29117: Authentication bypass in JuiceBox Web Manager

Description

The JuiceBox web manager application has an API that can be used for arbitrary database modification because of a lack of access controls. An unauthorized attacker can exploit this vulnerability to bypass authentication and get administrator’s privileges to access and control the JuiceBox system or disrupt service.

Exploitation scenario and impact

An unauthorized attacker can exploit the vulnerability by sending a GET request to the scenario /api/command.php with action parameter specified to set_param. This request modifies the application database in accordance with GET parameters param and value. To bypass authentication malefactor can set the adminPasswordVisible property to True.

Changing visibility settings for administrator’s password

As a result, the plaintext value of the admin user password will be shown below the authentication form on the index page:

Publicly accessible value of administrator’s password

By exploiting this vulnerability, attackers can:

  • Maintain control over all sensitive information, including plaintext credentials and settings for Wi-Fi, SIM, IPSEC, charger system, charge point and a central management system (defined in OCPP standard as CP and CM), Charger-to-Grid (C2G).
  • Read and modify all the present charger registers in the system.
  • Upload malicious or out-of-date firmware.
  • Control charger operation by causing charger reboot or stopping charging process.
  • Obtain access to all system log files.
  • Add arbitrary RFID cards to the charging whitelist.

Privileged access to the control panel

CVE-2023-29118: Unauthorized SQLite injection #1

CVE-2023-29119: Unauthorized SQLite injection #2

Description

JuiceBox web manager application is vulnerable to SQL injection vulnerabilities. The application does not validate user input properly. It allows an unauthorized attacker to conduct an attack aimed at the SQLite request logic change by means of SQL Injection. The vulnerable URIs are:

  • /admin/versions.php, the vulnerable parameters are the POST parameters name and value.
  • /admin/dbstore.php, the vulnerable parameters are the POST parameters address and value

Exploitation scenario and impact

The following requests can be used to modify an arbitrary table of the database:

Example of SQL Injection exploitation via value parameter

Example of SQL Injection exploitation via address parameter

As a result, an attacker can run arbitrary requests to the database, modify data and develop an attack on server.

CVE-2023-29120: Unauthorized remote command execution

Description

JuiceBox web manager application is vulnerable to RCE vulnerability. The application does not validate user input properly. It allows an attacker to conduct an attack aimed at the injection of arbitrary OS commands. The vulnerable URI is /api/command.php, the vulnerable parameters are the POST parameters ssid and passkey.

Exploitation scenario and impact

The following request can be used to call a ping process on target server:

Example of OS command execution via ssid parameter

Consequently, an attacker can execute arbitrary OS commands under the daemon account, as well as obtain root access to the OS after privilege escalation described in CVE-2023-2912 about 2.

CVE-2023-29121: Exposed TCF agent service

Description

JuiceBox Enel X has the Target Communication Framework (TCF) service enabled as an Eclipse debug interface. Through this service, an attacker can debug processes, modify files system, and gain access to the terminal as a root user by simply connecting to charger’s TCP port 1534:

Open TCP port on EV charger host

Access to the TCF service via netcat utility

Exploitation scenario and impact

Through the utilization of the Eclipse TCF plugin, an adversary can gain access to the Linux file system on the charger, allowing, for instance, the retrieval of contents from the shadow file.

This attack allows unauthorized attackers to gain root privileges on the affected model which results in the execution of arbitrary OS commands and obtaining full control of the target system.

CVE-2023-29122: Incorrect file ownership of privileged service's libraries

Description

The system assigns user/group ownership of the /runtime/lib/ directory tree to the web-service user account daemon, which allows privilege escalation when the files in target directory are executed by root-owned process.

Service CM_main.exe has root privileges and uses libraries that are stored in subfolder /runtime/lib/. These libraries are owned by the daemon user:

Daemon user ownership of libraries

Exploitation scenario and impact

If a malicious user has the privileges of a daemon user on the device, they can overwrite the libraries files. After the CM_main.exe service restarts, the attacker will be able to execute arbitrary OS commands with the privileges of the root user.

CVE-2023-29125: Heap overflow in CM_main.exe binary

Description

An attacker can trigger a heap buffer overflow in the CM_main.exe binary by manipulating input values so that the body of the request would be larger than pre-defined buffer of fixed length:

Definition of size of headers

Exploitation scenario and impact

CM_main.exe binary uses the socket service that handles requests on TCP port 7700. Each request consists of two parts: a header and a body.

The header contains the field of short int type which is used as the length of the body. This length isn't checked in any place in the code. A buffer for the body has a fixed length of 0x2000. Thus, an attacker can send the body that will have a length greater than 0x2000 and get heap buffer overflow.

CVE-2023-29126: Insecure loose comparison

Description

In JuiceBox's web manager application, the index.php page contains a PHP-type juggling vulnerability that allows attackers to speed up the brute force process and, under some conditions, bypass authentication.

Exploitation scenario and impact

The default password of a user account is 000000, Providing only 0 in the password field will allow the attacker to log in since 0 and 000000 are being compared using the loose comparison operator, so the values will be converted to the same data type. Another example of incorrect comparison implementation is that 0 will be equal to 0e1234. As a result, an attacker can gain access to the user panel and do the following actions:

  • Adjust connection type to SIM or Wi-Fi.
  • Control the parameters Plug & charge and max charging current value.
  • Add different unauthorized RFID cards to the whitelist.
  • Maintain C2G configuration.

User access to the JuiceBox Web Manager

Article tags

enel x juicebox

ev charger vulnerability

Latest Advisories

Vulnerabilities in Škoda/Volkswagen vehicles and Škoda backend

November 22, 2023

Critical vulnerability in KEO EEBUS library

December 9, 2024

Use-after-free Vulnerability in Alpine Halo9 Infotainment Unit

October 8, 2024

Popular tags

security advisory

pcautomotive

keo eebus

alpine

alpinehalo9

enel x juicebox

ev charger vulnerability

skoda

skoda backend

vulnerabilities

Credits

Dani Resized

Danila Parnishchev

Head of Security Assessment