CVE-2022-37418 — MEDIUM (6.4)

Q: How severe is CVE-2022-37418?

CVE-2022-37418 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-37418?

Check the references section above for vendor advisories and patch information. Affected products include: Nissan Nissan Firmware, Nissan Nissan, Kia Kia Firmware, Kia Kia, Hyundai Hyundai Firmware.

Vulnerability Description

The Remote Keyless Entry (RKE) receiving unit on certain Nissan, Kia, and Hyundai vehicles through 2017 allows remote attackers to perform unlock operations and force a resynchronization after capturing two consecutive valid key fob signals over the radio, aka a RollBack attack. The attacker retains the ability to unlock indefinitely.

CVSS Score

6.4

MEDIUM

CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H

Attack Vector

ADJACENT_NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Nissan	Nissan Firmware	<= 2017
Nissan	Nissan	-
Kia	Kia Firmware	<= 2017
Kia	Kia	-
Hyundai	Hyundai Firmware	<= 2017
Hyundai	Hyundai	-

Related Weaknesses (CWE)

CWE-294

References

https://hackaday.com/2022/08/17/rollback-breaks-into-your-car/ExploitThird Party Advisory
https://medium.com/codex/rollback-a-new-time-agnostic-replay-attack-against-the-ExploitThird Party Advisory
https://www.blackhat.com/us-22/briefings/schedule/#rollback---a-new-time-agnostiExploitThird Party Advisory
https://www.pcmag.com/news/is-your-car-key-fob-vulnerable-to-this-simple-replay-Press/Media CoverageThird Party Advisory
https://www.youtube.com/playlist?list=PLYodcy84oQL1gxwiuRm13xRXxTQL9cO5tExploitThird Party Advisory
https://hackaday.com/2022/08/17/rollback-breaks-into-your-car/ExploitThird Party Advisory
https://medium.com/codex/rollback-a-new-time-agnostic-replay-attack-against-the-ExploitThird Party Advisory
https://www.blackhat.com/us-22/briefings/schedule/#rollback---a-new-time-agnostiExploitThird Party Advisory
https://www.pcmag.com/news/is-your-car-key-fob-vulnerable-to-this-simple-replay-Press/Media CoverageThird Party Advisory
https://www.youtube.com/playlist?list=PLYodcy84oQL1gxwiuRm13xRXxTQL9cO5tExploitThird Party Advisory

FAQ

What is CVE-2022-37418?

CVE-2022-37418 is a vulnerability with a CVSS score of 6.4 (MEDIUM). The Remote Keyless Entry (RKE) receiving unit on certain Nissan, Kia, and Hyundai vehicles through 2017 allows remote attackers to perform unlock operations and force a resynchronization after capturi...

How severe is CVE-2022-37418?

CVE-2022-37418 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-37418?

Check the references section above for vendor advisories and patch information. Affected products include: Nissan Nissan Firmware, Nissan Nissan, Kia Kia Firmware, Kia Kia, Hyundai Hyundai Firmware.