CVE-2021-23906 — LOW (1.8) — White Hats Nepal

Q: How severe is CVE-2021-23906?

CVE-2021-23906 has been rated LOW with a CVSS base score of 1.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-23906?

Check the references section above for vendor advisories and patch information. Affected products include: Mercedes-Benz Mercedes-Benz User Experience, Mercedes-Benz A 220, Mercedes-Benz A 220 4Matic, Mercedes-Benz E 350, Mercedes-Benz E 350 4Matic.

Vulnerability Description

An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A Message Length is not checked in the HiQnet Protocol, leading to remote code execution.

CVSS Score

1.8

LOW

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Mercedes-Benz	Mercedes-Benz User Experience	<= 2021
Mercedes-Benz	A 220	-
Mercedes-Benz	A 220 4Matic	-
Mercedes-Benz	E 350	-
Mercedes-Benz	E 350 4Matic	-
Mercedes-Benz	Eqc	-
Mercedes-Benz	Gle 350	-
Mercedes-Benz	Gle 350 4Matic	-

Related Weaknesses (CWE)

CWE-20

References

https://keenlab.tencent.com/en/2021/05/12/Tencent-Security-Keen-Lab-ExperimentalThird Party Advisory
https://keenlab.tencent.com/en/whitepapers/Mercedes_Benz_Security_Research_ReporExploitThird Party Advisory
https://media.daimler.com/marsMediaSite/en/instance/ko.xhtml?oid=49946866Third Party Advisory
https://keenlab.tencent.com/en/2021/05/12/Tencent-Security-Keen-Lab-ExperimentalThird Party Advisory
https://keenlab.tencent.com/en/whitepapers/Mercedes_Benz_Security_Research_ReporExploitThird Party Advisory
https://media.daimler.com/marsMediaSite/en/instance/ko.xhtml?oid=49946866Third Party Advisory

FAQ

What is CVE-2021-23906?

CVE-2021-23906 is a vulnerability with a CVSS score of 1.8 (LOW). An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A Message Length is not checked in the HiQnet Protocol, leading to remote code exec...

How severe is CVE-2021-23906?

CVE-2021-23906 has been rated LOW with a CVSS base score of 1.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-23906?

Check the references section above for vendor advisories and patch information. Affected products include: Mercedes-Benz Mercedes-Benz User Experience, Mercedes-Benz A 220, Mercedes-Benz A 220 4Matic, Mercedes-Benz E 350, Mercedes-Benz E 350 4Matic.