Vulnerability Description
Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, store SSH private keys that are the same across different customers' installations, which makes it easier for remote attackers to obtain access by leveraging knowledge of a private key from another installation.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mobile Devices | C4 Obd-Ii Dongle Firmware | <= 3.4 |
References
- http://www.kb.cert.org/vuls/id/209512Third Party AdvisoryUS Government Resource
- https://www.usenix.org/conference/woot15/workshop-program/presentation/foster
- http://www.kb.cert.org/vuls/id/209512Third Party AdvisoryUS Government Resource
- https://www.usenix.org/conference/woot15/workshop-program/presentation/foster
FAQ
What is CVE-2015-2906?
CVE-2015-2906 is a vulnerability with a CVSS score of 9.0 (HIGH). Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, store SSH private keys that are the same across different customers' installation...
How severe is CVE-2015-2906?
CVE-2015-2906 has been rated HIGH with a CVSS base score of 9.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-2906?
Check the references section above for vendor advisories and patch information. Affected products include: Mobile Devices C4 Obd-Ii Dongle Firmware.