Vulnerability Description
Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, have hardcoded SSH credentials, which makes it easier for remote attackers to obtain access by leveraging knowledge of the required username and password.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mobile Devices | C4 Obd-Ii Dongle Firmware | <= 3.4 |
References
- http://www.kb.cert.org/vuls/id/209512Third Party AdvisoryUS Government Resource
- https://www.usenix.org/conference/woot15/workshop-program/presentation/foster
- http://www.kb.cert.org/vuls/id/209512Third Party AdvisoryUS Government Resource
- https://www.usenix.org/conference/woot15/workshop-program/presentation/foster
FAQ
What is CVE-2015-2907?
CVE-2015-2907 is a vulnerability with a CVSS score of 9.0 (HIGH). Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, have hardcoded SSH credentials, which makes it easier for remote attackers to obt...
How severe is CVE-2015-2907?
CVE-2015-2907 has been rated HIGH with a CVSS base score of 9.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-2907?
Check the references section above for vendor advisories and patch information. Affected products include: Mobile Devices C4 Obd-Ii Dongle Firmware.