Headline
CVE-2023-49955: Possible DoS Vulnerability: No Control on length of 'chargePointVendor' property in 'BootNotification' OCPP message · Issue #32 · dallmann-consulting/OCPP.Core
An issue was discovered in Dalmann OCPP.Core before 1.2.0 for OCPP (Open Charge Point Protocol) for electric vehicles. It does not validate the length of the chargePointVendor field in a BootNotification message, potentially leading to server instability and a denial of service when processing excessively large inputs. NOTE: the vendor’s perspective is “OCPP.Core is intended for use in a protected environment/network.”
Dear dalmann-consulting,
Thank you for addressing my previous concerns. I have observed that while the ‘BootNotification’ with an oversized ‘chargePointVendor’ field leads to a Denial of Service (DoS) attack by crashing the server, there is a broader issue at hand. Oversized ‘idTag’ values in ‘Authorize’ messages, although smaller in size (e.g., 10 MB), are being accepted and stored in the ‘MessageLog’ table of the database. This storage of excessively large entries without prior validation could be exploited to fill the database with large, non-standard data, potentially impacting performance and storage.
It seems prudent to consider implementing a pre-validation step to check message sizes against the protocol defined threshold before they are parsed and logged, ensuring database integrity and preventing possible storage abuse.
Kind regards,
Gaetano Coppoletta