CVE-2023-28895 — LOW (3.5) — White Hats Nepal

Q: How severe is CVE-2023-28895?

CVE-2023-28895 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-28895?

Check the references section above for vendor advisories and patch information. Affected products include: Preh Mib3 Firmware, Preh Mib3.

Vulnerability Description

The password for access to the debugging console of the PoWer Controller chip (PWC) of the MIB3 infotainment is hard-coded in the firmware. The console allows attackers with physical access to the MIB3 unit to gain full control over the PWC chip. Vulnerability found on Škoda Superb III (3V3) - 2.0 TDI manufactured in 2022.

CVSS Score

3.5

LOW

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Preh	Mib3 Firmware	< 0304
Preh	Mib3	-

Related Weaknesses (CWE)

CWE-798 CWE-259

References

https://asrg.io/security-advisories/hard-coded-password-for-access-to-power-contThird Party Advisory
https://asrg.io/security-advisories/hard-coded-password-for-access-to-power-contThird Party Advisory

FAQ

What is CVE-2023-28895?

CVE-2023-28895 is a vulnerability with a CVSS score of 3.5 (LOW). The password for access to the debugging console of the PoWer Controller chip (PWC) of the MIB3 infotainment is hard-coded in the firmware. The console allows attackers with physical access to the MIB...

How severe is CVE-2023-28895?

CVE-2023-28895 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-28895?

Check the references section above for vendor advisories and patch information. Affected products include: Preh Mib3 Firmware, Preh Mib3.