CVE-2015-2908 — HIGH (9.0) — White Hats Nepal

Q: How severe is CVE-2015-2908?

CVE-2015-2908 has been rated HIGH with a CVSS base score of 9.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2015-2908?

Check the references section above for vendor advisories and patch information. Affected products include: Mobile Devices C4 Obd-Ii Dongle Firmware.

Vulnerability Description

Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server.

CVSS Score

9.0

HIGH

AV:N/AC:L/Au:S/C:C/I:C/A:C

Confidentiality

COMPLETE

Integrity

COMPLETE

Availability

COMPLETE

Affected Products

Vendor	Product	Versions
Mobile Devices	C4 Obd-Ii Dongle Firmware	<= 3.4

Related Weaknesses (CWE)

CWE-345

References

http://www.kb.cert.org/vuls/id/209512Third Party AdvisoryUS Government Resource
https://www.usenix.org/conference/woot15/workshop-program/presentation/foster
http://www.kb.cert.org/vuls/id/209512Third Party AdvisoryUS Government Resource
https://www.usenix.org/conference/woot15/workshop-program/presentation/foster

FAQ

What is CVE-2015-2908?

CVE-2015-2908 is a vulnerability with a CVSS score of 9.0 (HIGH). Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitr...

How severe is CVE-2015-2908?

CVE-2015-2908 has been rated HIGH with a CVSS base score of 9.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-2908?

Check the references section above for vendor advisories and patch information. Affected products include: Mobile Devices C4 Obd-Ii Dongle Firmware.