CVE-2024-5684 - OpenCVE

An attacker with access to the private network (the charger is connected to) or local access to the Ethernet-Interface can exploit a faulty implementation of the JWT-library in order to bypass the password authentication to the web configuration interface and then has full access as the user would have. However, an attacker will not have developer or admin rights. If the implementation of the JWT-library is wrongly configured to accept "none"-algorithms, the server will pass insecure JWT. A local, unauthenticated attacker can exploit this vulnerability to bypass the authentication mechanism.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Vw	Id.charger Pro Id.charger Connect Id.charger Pro Firmware Id.charger Connect Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:vw:id.charger_connect_firmware:spr3.2:beta::::::
	cpe:2.3:o:vw:id.charger_connect_firmware:spr3.51:::::::*
	cpe:2.3:o:vw:id.charger_connect_firmware:spr3.52:::::::*

cpe:2.3:h:vw:id.charger_connect:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:o:vw:id.charger_pro_firmware:spr3.2:beta::::::
	cpe:2.3:o:vw:id.charger_pro_firmware:spr3.51:::::::*
	cpe:2.3:o:vw:id.charger_pro_firmware:spr3.52:::::::*

cpe:2.3:h:vw:id.charger_pro:-:*:*:*:*:*:*:*

References

Link	Resource
https://asrg.io/security-advisories/vulnerability-in-id-charger-connect-and-pro-from-volkswagen-group-charging-gmbh-elli-evbox-versions-spr3-2b-spr3-51-and-spr3-52/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ASRG

Published: 2024-06-06T12:54:09.480Z

Updated: 2024-06-06T13:40:30.790Z

Reserved: 2024-06-06T12:47:48.760Z

Link: CVE-2024-5684

JSON object: View

NVD Information

Status : Analyzed

Published: 2024-06-06T13:15:32.027

Modified: 2024-06-11T18:13:30.163

Link: CVE-2024-5684

JSON object: View

Redhat Information

No data.

CWE

CWE-345

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5684", "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "state": "PUBLISHED", "assignerShortName": "ASRG", "dateReserved": "2024-06-06T12:47:48.760Z", "datePublished": "2024-06-06T12:54:09.480Z", "dateUpdated": "2024-06-06T13:40:30.790Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ID Charger Connect & Pro", "vendor": "Volkswagen Group Charging GmbH - Elli, EVBox", "versions": [{"status": "affected", "version": "SPR3.2B"}, {"status": "affected", "version": "SPR3.51"}, {"status": "affected", "version": "SPR3.52"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Anna Breeva (PCAutomotive)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An attacker with access to the private network (the charger is connected to) or local access to the Ethernet-Interface can exploit a faulty implementation of the JWT-library in order to bypass the password authentication to the web configuration interface and then has full access as the user would have. However, an attacker will not have developer or admin rights. If the implementation of the JWT-library is wrongly configured to accept \"none\"-algorithms, the server will pass insecure JWT. A local, unauthenticated attacker can exploit this vulnerability to bypass the authentication mechanism."}], "value": "An attacker with access to the private network (the charger is connected to) or local access to the Ethernet-Interface can exploit a faulty implementation of the JWT-library in order to bypass the password authentication to the web configuration interface and then has full access as the user would have. However, an attacker will not have developer or admin rights. If the implementation of the JWT-library is wrongly configured to accept \"none\"-algorithms, the server will pass insecure JWT. A local, unauthenticated attacker can exploit this vulnerability to bypass the authentication mechanism."}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "description": "CWE-345 Insufficient Verification of Data Authenticity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "shortName": "ASRG", "dateUpdated": "2024-06-06T12:54:09.480Z"}, "references": [{"url": "https://asrg.io/security-advisories/vulnerability-in-id-charger-connect-and-pro-from-volkswagen-group-charging-gmbh-elli-evbox-versions-spr3-2b-spr3-51-and-spr3-52/"}], "source": {"discovery": "UNKNOWN"}, "title": "ID Charger Connect & Pro - JWT-Null-Algorithm", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "volkswagen_group_charging_gmbh_elli_evbox", "product": "id_charger_connect_and_pro", "cpes": ["cpe:2.3:a:volkswagen_group_charging_gmbh_elli_evbox:id_charger_connect_and_pro:spr3.2b:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "spr3.2b", "status": "affected"}]}, {"vendor": "volkswagen_group_charging_gmbh_elli_evbox", "product": "id_charger_connect_and_pro", "cpes": ["cpe:2.3:a:volkswagen_group_charging_gmbh_elli_evbox:id_charger_connect_and_pro:spr3.51:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "spr3.51", "status": "affected"}]}, {"vendor": "volkswagen_group_charging_gmbh_elli_evbox", "product": "id_charger_connect_and_pro", "cpes": ["cpe:2.3:a:volkswagen_group_charging_gmbh_elli_evbox:id_charger_connect_and_pro:spr3.52:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "spr3.52", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T13:27:31.304336Z", "id": "CVE-2024-5684", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T13:40:30.790Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:vw:id.charger_connect_firmware:spr3.2:beta:*:*:*:*:*:*", "matchCriteriaId": "7EC6FAEB-299C-4B80-86DC-DCF360112634", "vulnerable": true}, {"criteria": "cpe:2.3:o:vw:id.charger_connect_firmware:spr3.51:*:*:*:*:*:*:*", "matchCriteriaId": "38C5905C-1F7A-4747-8983-F40270C34A17", "vulnerable": true}, {"criteria": "cpe:2.3:o:vw:id.charger_connect_firmware:spr3.52:*:*:*:*:*:*:*", "matchCriteriaId": "25691151-74B1-4B0D-BFDD-AE683B5C50C1", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:vw:id.charger_connect:-:*:*:*:*:*:*:*", "matchCriteriaId": "96237641-90A5-4382-96DF-52A7BDAC1F81", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:vw:id.charger_pro_firmware:spr3.2:beta:*:*:*:*:*:*", "matchCriteriaId": "1977125C-AF1C-41EF-86A1-CF4549F22EF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:vw:id.charger_pro_firmware:spr3.51:*:*:*:*:*:*:*", "matchCriteriaId": "2F73F41A-6D43-4743-A8F2-F13A2C351AAE", "vulnerable": true}, {"criteria": "cpe:2.3:o:vw:id.charger_pro_firmware:spr3.52:*:*:*:*:*:*:*", "matchCriteriaId": "2A391298-4342-4A2D-B16B-77AC8FDD09F9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:vw:id.charger_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "E2DBD3C1-5775-474D-BAD0-A1775DC80326", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An attacker with access to the private network (the charger is connected to) or local access to the Ethernet-Interface can exploit a faulty implementation of the JWT-library in order to bypass the password authentication to the web configuration interface and then has full access as the user would have. However, an attacker will not have developer or admin rights. If the implementation of the JWT-library is wrongly configured to accept \"none\"-algorithms, the server will pass insecure JWT. A local, unauthenticated attacker can exploit this vulnerability to bypass the authentication mechanism."}, {"lang": "es", "value": "Un atacante con acceso a la red privada (a la que est\u00e1 conectado el cargador) o acceso local a la interfaz Ethernet puede explotar una implementaci\u00f3n defectuosa de la librer\u00eda JWT para omitir la autenticaci\u00f3n de contrase\u00f1a en la interfaz de configuraci\u00f3n web y luego tener acceso completo como lo habr\u00eda hecho el usuario. Sin embargo, un atacante no tendr\u00e1 derechos de desarrollador ni de administrador. Si la implementaci\u00f3n de la librer\u00eda JWT est\u00e1 configurada incorrectamente para aceptar algoritmos \"ninguno\", el servidor pasar\u00e1 JWT inseguro. Un atacante local no autenticado puede aprovechar esta vulnerabilidad para eludir el mecanismo de autenticaci\u00f3n."}], "id": "CVE-2024-5684", "lastModified": "2024-06-11T18:13:30.163", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cve@asrg.io", "type": "Secondary"}]}, "published": "2024-06-06T13:15:32.027", "references": [{"source": "cve@asrg.io", "tags": ["Third Party Advisory"], "url": "https://asrg.io/security-advisories/vulnerability-in-id-charger-connect-and-pro-from-volkswagen-group-charging-gmbh-elli-evbox-versions-spr3-2b-spr3-51-and-spr3-52/"}], "sourceIdentifier": "cve@asrg.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-345"}], "source": "cve@asrg.io", "type": "Secondary"}]}