-
-
Notifications
You must be signed in to change notification settings - Fork 388
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Predictable Transaction ID Possible Vulnerability Allows Unauthorized Termination of OCPP Sessions #1296
Comments
From my point of view does the StartTransaction from point 2 violates the OCPP 1.6 schema (fields connectorId, meterStart and timestamp are missing). I think for OCPP 1.6J this should generate a CallError with ErrorCode = OccurenceConstraintViolation. There is no point in processing such a message, because no charging station should send such a mess. |
I appreciate your insight regarding the schema violation for the StartTransaction message. However, it's important to consider scenarios where a charging station might be compromised. If an attacker gains physical access to a charging station, they could potentially send malformed or incomplete OCPP messages. Therefore, server-side validation is crucial to safeguard against such threats. |
@Tano-Coppoletta Maybe you got me wrong, i wanted to say that Steve (server side) should generate a CallError and prevent further processing of the transaction. So your concerns are valid from my point of view. |
Hello, I'm reaching out for an update regarding this issue. We are in the process of submitting Common Vulnerabilities and Exposures (CVEs) related to this matter. However, we can wait if you are in the process of fixing it. Additionally, we intend to publish our findings in an academic paper. Your prompt response and attention to this matter would be greatly appreciated as it will greatly inform our next steps. Thank you and looking forward to your response. |
Checklist
Specifications
Docker Container Setup
Two Docker containers are set up to simulate two OCPP clients for testing purposes.
Issue Description
A possible security vulnerability was identified where unauthorized termination of transactions is possible due to predictable transaction Ids. The server issues a new transaction ID upon receiving an incomplete
StartTransaction
request and, due to the IDs being auto-incremented, an attacker can predict and use them to terminate other transactions.Steps to Reproduce
StartTransaction
request with an empty idTag is sent to obtain a new transaction Id:StopTransaction
request using the new transaction ID minus 1:4.The unauthorized termination of Client 1's transaction is confirmed via the web interface.
Expected behavior
The server should not issue a transaction ID for incomplete
StartTransaction
requests and should authenticateStopTransaction
requests before processing.Actual behavior
The server processes unauthorized
StopTransaction
requests using predicted transaction IDs.The text was updated successfully, but these errors were encountered: