Charging Station Vulnerability Cleared

Thursday, November 1, 2018 @ 06:11 PM gHale

Circontrol has new software available to mitigate an authentication bypass using an alternate path or channel and insufficiently protected credentials vulnerabilities in its CirCarLife, according to a report with NCCIC.

Successful exploitation of these vulnerabilities – discovered by Ankit Anubhav of NewSky Security, M. Can Kurnaz senior consultant at KPMG Netherlands, Alim Solmaz security consultant at Atos, Michael John chief information security officer at WePower Network, and Gyorgy Miru security researcher at Verint – could allow a remote attacker to retrieve credentials stored in clear text to bypass authentication, and see and access critical information.

RELATED STORIES
Schneider Updates SESU
InduSoft Web Studio, InTouch Holes Fixed
Update to 2-year-old CompactLogix Issue
Vecna Updates Fix for VGo Robot

An electric vehicle charging station, CirCarLife all versions prior to 4.3.1 suffer from the remotely exploitable vulnerabilities.

In one vulnerability, authentication to the device can be bypassed by entering the URL of a specific page.

CVE-2018-17918 is the case number assigned to this vulnerability., which has a CVSS v3 base score of 10.0.

In addition, the PAP credentials of the device are stored in clear text in a log file that is accessible without authentication.

CVE-2018-17922 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 10.0.

The product sees use mainly in the transportation systems sector. It also sees action mainly in Europe and Asia.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Spain-based Circontrol released a new version of the software (login required).



Leave a Reply

You must be logged in to post a comment.