Schneider Electric Patches 7 Bugs in EVlink ProductsOn CVSS Scale, 1 Flaw Is Rated Critical, 5 High and 1 Medium
Seven vulnerabilities - including one rated critical and five high-severity - in Schneider Electric's EVlink products have been patched, according to a security researcher.
The products affected by the vulnerability include EVlink City, Parking, and Smart Wallbox, according to Tony Nasr, a cybersecurity and application security researcher from Concordia University in Canada. These products offer electric vehicle charging points or stations for private properties, semi-public car parks and on-street charging facilities.
Successful exploitation of the vulnerabilities would allow attackers to hijack an operator's account on systems, giving them the ability to manipulate configurations and settings and tamper with the charging process, Nasr tells Information Security Media Group.
He says the attacks allow an adversary to leverage the compromised EVlink products as a network proxy and to practically build a botnet and conduct distributed cyberattacks, such as a distributed denial-of-service attack, against other devices. The attacks can allow the adversary to exfiltrate the operator data stored on the EVlink, Nasr says.
Patches Issued, But Many Not Applied
Schneider Electric, in a security notification, acknowledged Nasr's findings and released patches for the vulnerabilities in its latest firmware update.
The company has advised EVlink City customers using versions EVC1S22P4 and EVC1S7P4; parking customers with versions EVW2, EVF2 and EVP2PE; and Smart Wallbox customers with version EVB1A devices to update their firmware as soon as possible.
Investigations conducted on device search engines such as Shodan and Censys show that thousands of internet-facing EVlink devices are affected by the vulnerabilities, Nasr tells ISMG. He says the number can increase greatly for EVlink charging stations that are not currently internet-facing, but are network-configured and can be attacked locally by exploiting the vulnerabilities - for example, through specific vectors on LAN.
Although Schneider Electric made the firmware update available on Dec. 14, it seems that not many customers have applied the patches, Nasr tells ISMG. He says most of the internet-connected EVlink stations are still running previous versions of the system firmware, which leave them vulnerable.
The seven vulnerabilities, Schneider Electric says, could be exploited to gain physical access to charging stations' internal communication ports or for remote exploitation of charging stations or their supervision systems if they are directly connected to the internet.
The most critical vulnerability, CVE-2021-22821, has a base score of 9.3. It is a server-side request forgery vulnerability that can cause the charging station's web server to forward requests to unintended network targets, according to Schneider Electric's security advisory.
Nasr tells ISMG that to exploit a SSRF vulnerability, an attacker would only need to identify a target EVlink and then trigger the exploit against the system. "The success of this process does not rely on the operator of the EVlink interacting with any components or variables designed by the adversary," he says.
Cross-Site Scripting Flaw
CVE-2021-22822 is a high-severity cross-site scripting vulnerability that, if exploited, could allow an attacker to impersonate the user who manages the charging station or carry out actions on their behalf, according to the security advisory.
To exploit a cross-site scripting vulnerability, an attacker would have to design a malicious payload and inject it within vulnerable endpoints or parameters on the system. The attacker would create a reference link or form to those endpoints that they would deliver to the target operator whose EVlink they want to compromise, Nasr says. "In this scenario, the success of the attack relies on the operator of the target EVlink interacting with the maliciously crafted components of the attacker, such as a malicious link or form, in order to be able to take over the EVlink," he says.
Two vulnerabilities - CVE-2021-22724 and CVE-2021-22725 - are cross-site request forgery vulnerabilities that if exploited, can allow an attacker to carry out actions when crafted malicious parameters are submitted in POST and GET requests sent to the charging station web server, the security advisory says.
Attackers can exploit CVE-2021-22818, a high-severity improper restriction of excessive authentication attempts vulnerability, to perform brute force attacks and access the charging station web interface, the security notification says.
CVE-2021-22819, a medium-severity improper restriction of rendered UI layers or frames vulnerability, may allow for "unintended modifications of product settings or user accounts when deceiving the user to use the web interface rendered within iframes," according to the notification.
The high-severity flaw tracked as CVE-2021-22820, which is an insufficient session expiration vulnerability, may allow attackers to "maintain an unauthorized access over a hijacked session to the charger station web server even after the legitimate user account holder has changed his password," it says.
"Each of the vulnerabilities, in their own respect, represent a significant threat to the EVlink system," Nasr tells ISMG. "What is concerning is that many of these vulnerabilities can be chained together for greater impact.
"Specifically, CVE-2021-22821, CVE-2021-22822, CVE-2021-22725 and CVE-2021-22724 represent severe issues as they allow an adversary to proxy arbitrary requests through the EVlink, execute arbitrary code on the EVlink system and perform unintended actions on the charging station, respectively."
Mitigations and Workarounds
Schneider also recommends replacing end-of-life EVlink Parking products EVF1 and EVW1 and EVlink City products EVC1S22P3 and EVC1S7P3 or older with newer versions.
Other mitigation measures include isolating the EVlink on a separate network, limiting connections to local area network, disabling external internet access and setting up a firewall to filter incoming traffic and stop potential malicious requests, Nasr says.
In July, Nasr found and reported several similar vulnerabilities in EVlink products, which were fixed by Schneider Electric. The company addressed 13 flaws - including three critical, eight high-severity and two medium-severity vulnerabilities.
"Given the exponential growth in the number of EVs and the resulting need for expansion in the EV charging ecosystem," Nasr tells ISMG, he is concerned about the "resiliency and security posture of EV charging stations against cyberattacks."
The next biggest threat to the EV charging ecosystem is the exploitation of such vulnerabilities and the emergence of new large-scale attacks, he says.