CVE-2024-23958 in MaxiCharger AC Elite Business C50
Summary
by MITRE • 09/28/2024
Autel MaxiCharger AC Elite Business C50 BLE Hardcoded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Autel MaxiCharger AC Elite Business C50 charging stations. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the BLE AppAuthenRequest command handler. The handler uses hardcoded credentials as a fallback in case of an authentication request failure. An attacker can leverage this vulnerability to bypass authentication on the system.
Was ZDI-CAN-23196
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/04/2024
The CVE-2024-23958 vulnerability represents a critical authentication bypass flaw in the Autel MaxiCharger AC Elite Business C50 charging station, specifically affecting BLE-enabled devices within network-adjacent attack ranges. This vulnerability stems from a fundamental design flaw in the Bluetooth Low Energy communication protocol implementation where hardcoded credentials are embedded within the system's authentication handler. The vulnerability impacts the device's security posture by eliminating the need for legitimate authentication credentials, thereby allowing unauthorized access to the charging station's operational functions. The flaw manifests in the BLE AppAuthenRequest command handler which was designed to provide a fallback authentication mechanism but instead creates a persistent backdoor through hardcoded credential storage.
The technical implementation of this vulnerability involves the BLE AppAuthenRequest command handler that contains hardcoded credentials specifically designed for fallback authentication scenarios. When legitimate authentication attempts fail, the system automatically defaults to these hardcoded credentials, creating an authentication bypass pathway that attackers can exploit without requiring any valid user credentials or prior access to the system. This design pattern violates fundamental security principles and creates an inherent trust relationship with predetermined credentials that cannot be revoked or updated. The hardcoded nature of these credentials means they remain static throughout the device's operational lifecycle, providing attackers with persistent access vectors that are particularly dangerous in commercial and industrial environments where physical proximity to charging infrastructure may be achievable.
From an operational impact perspective, this vulnerability enables attackers to gain unauthorized control over charging stations that are typically deployed in business environments, public spaces, and commercial facilities where security is paramount. The vulnerability's network-adjacent requirement means that attackers need to be within Bluetooth range of the device, but this proximity requirement does not prevent exploitation in environments where physical access to charging infrastructure is possible. The lack of authentication requirements for exploitation makes this vulnerability particularly dangerous as it allows for immediate unauthorized access to charging functions, potentially enabling service disruption, unauthorized charging sessions, or even malicious manipulation of charging parameters. This vulnerability directly impacts the integrity and availability of charging services while potentially creating opportunities for financial fraud or unauthorized resource consumption.
Security professionals should consider this vulnerability in relation to CWE-798, which addresses the use of hardcoded credentials, and the ATT&CK framework's T1078.004 technique for valid accounts, as the hardcoded credentials essentially create persistent valid accounts that attackers can leverage. The vulnerability demonstrates poor security engineering practices where fallback mechanisms are not properly secured, and the use of hardcoded credentials violates industry best practices established by NIST SP 800-53 and other security frameworks. Organizations should implement immediate mitigations including network segmentation to isolate charging infrastructure, deployment of network monitoring solutions to detect unauthorized BLE access attempts, and consideration of firmware updates or device replacement if available. The vulnerability also highlights the importance of secure coding practices and proper authentication design, particularly in IoT devices where physical security and network security must be carefully balanced to prevent unauthorized access to critical infrastructure components.