Schneider Electric, an energy management and automation company, has reportedly patched 13 critical vulnerabilities in its EVlink range of products. The EV product range is associated with electric vehicles and offers charging points/stations for private properties, semi-public car parks, and on-street charging. Talking about the criticality of the discovered vulnerabilities, Schneider Electric said that the exploitation of these vulnerabilities “could lead to things like denial of service attacks, which could (further) result in unauthorized use of the charging station, service interruptions, failure to send charging data records to the supervision system and the modification and disclosure of the charging station’s configuration.”
Schneider Electric Vulnerabilities and Affected Products
In all, Schneider Electric addressed 13 flaws, which include three “critical”, eight “high” and two “medium” severity vulnerabilities. Schneider Electric further added that these vulnerabilities could be exploited by threat actors in only two ways:
- Physical access to the charging station’s internal communication ports which can be gained only by removing the entire housing, or,
- If the charging stations are directly connected to the internet or the network of the charging station’s supervision system (for remote exploitation)
The three most critical vulnerabilities and their respective CVE and CVSS scores are:
- Use of Hard-coded Credentials
CVE ID: CVE-2021-22707
CVSS v3.1 Base Score 9.4 | Critical
CWE-798: This vulnerability could potentially allow an attacker to issue unauthorized commands to the charging station web server with administrative privileges.
- Use of Hard-coded Password
CVE ID: CVE-2021-22729
CVSS v3.1 Base Score 9.4 | Critical
CWE-259: This vulnerability could potentially allow an attacker to gain unauthorized administrative privileges when accessing the charging station web server.
- Use of Hard-coded Credentials
CVE ID: CVE-2021-22730
CVSS v3.1 Base Score 9.4 | Critical
CWE-798: This vulnerability could potentially allow an attacker to gain unauthorized administrative privileges when accessing the charging station web server.
The other “high” and “medium” vulnerabilities are:
- CVE-2021-22706 – Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’
- CVE-2021-22708 – Improper Verification of Cryptographic Signature
- CVE-2021-22721 – Improper Neutralization of Input During Web Page Generation (‘Stored Cross-site Scripting’)
- CVE-2021-22723 – Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) through Cross-Site Request Forgery (CSRF)
- CVE-2021-22726 – Server-Side Request Forgery (SSRF)
- CVE-2021-22727 – Insufficient Entropy
- CVE-2021-22728 – Information Exposure
- CVE-2021-22773 – Unverified Password Change
- CVE-2021-22774 – Use of a One-Way Hash without a Salt
Products Affected and the Fixes Available |
||
EVlink City EVC1S22P4 / EVC1S7P4 | All versions prior to R8 V3.4.0.1 | https://www.se.com/fr/fr/product-range-download/63015-evlink-city/#/software-firmware-tab |
EVlink Parking EVW2 / EVF2 / EV.2 | All versions prior to R8 V3.4.0.1 | https://www.se.com/ww/en/product-range/60850-evlink-parking/#software-and-firmware |
EVlink Smart Wallbox EVB1A | All versions prior to R8 V3.4.0.1 | https://www.se.com/ww/en/product-range/63506-evlink-smart-wallbox/#software-and-firmware |
Related News:
Schneider Electric and Claroty form cybersecurity partnership