NVD Vulnerability Detail

CVE-2024-23967

Summary	Autel MaxiCharger AC Elite Business C50 WebSocket Base64 Decoding Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Elite Business C50 chargers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of base64-encoded data within WebSocket messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-23230
Publication Date	Sept. 28, 2024, 4:15 p.m.
Registration Date	Sept. 28, 2024, 8 p.m.
Last Update	Oct. 4, 2024, 2:37 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:autel:maxicharger_ac_elite_business_c50_firmware:1.32.00:::::::*
execution environment
1	cpe:2.3:h:autel:maxicharger_ac_elite_business_c50:-:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	https://www.zerodayinitiative.com/advisories/ZDI-24-853/		Third Party Advisory VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-787	境界外書き込み	https://cwe.mitre.org/data/definitions/787.html

JVN Vulnerability Information

autel の maxicharger ac elite business c50 ファームウェアにおける境界外書き込みに関する脆弱性

Title	autel の maxicharger ac elite business c50 ファームウェアにおける境界外書き込みに関する脆弱性
Summary	autel の maxicharger ac elite business c50 ファームウェアには、境界外書き込みに関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	参考情報を参照して適切な対策を実施してください。
Publication Date	Sept. 28, 2024, midnight
Registration Date	Oct. 4, 2024, 2:11 p.m.
Last Update	Oct. 4, 2024, 2:11 p.m.

Affected System

autel

maxicharger ac elite business c50 ファームウェア 1.32.00

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-23967	https://www.cve.org/CVERecord?id=CVE-2024-23967
National Vulnerability Database (NVD)
2	CVE-2024-23967	https://nvd.nist.gov/vuln/detail/CVE-2024-23967

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-121	https://cwe.mitre.org/data/definitions/121.html
2	CWE-787	https://cwe.mitre.org/data/definitions/787.html

その他

No	Name	URL
関連文書
1	www.zerodayinitiative.com (ZDI-24-853)	https://www.zerodayinitiative.com/advisories/ZDI-24-853/

Change Log

No	Changed Details	Date of change
1	[2024年10月04日] 掲載	Oct. 4, 2024, 2:11 p.m.