A WiFi hotspot with a known password is always availiable on unconfigured units

Aleph Research Advisory

Identifier

CVE-2023-24502

Severity

High

Product

Electra Central AC

Vulnerable Version

Electra Central AC Smart WiFi Controller v4Electra Central AC Smart WiFi Controller v5Electra Central AC Smart WiFi Controller v7Electra Central AC Smart WiFi Controller v8

Technical Details

Before the unit is configured and connected to the cloud, it automatically opens a WiFi hotspot. The password to the hotspot is always the name of the hotspot (with the characters SSID replaced with PASS).

Thus, an attacker can always connect to an unconfigured unit within the WiFi range (can be done outside the building), and leverage that connection to exploit additional vulnerabilities.

Timeline

30-Oct-22
: Reported
12-Mar-23
: CVE-2023-24502 assigned
12-Mar-23
: Public disclosure

Credit

aronsky of Aleph Research, HCL Software
idan-strovinsky of Aleph Research, HCL Software