6.9

CVE-2018-18203

Exploit

EPSS 0.02%
Veröffentlicht 28.11.2018 23:29:00
Zuletzt bearbeitet 21.11.2024 03:55:31
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in the update mechanism of Subaru StarLink Harman head units 2017, 2018, and 2019 may give an attacker (with physical access to the vehicle's USB ports) the ability to rewrite the firmware of the head unit. This occurs because the device accepts modified QNX6 filesystem images (as long as the attacker obtains access to certain Harman decryption/encryption code) as a consequence of a bug where unsigned images pass a validity check. An attacker could potentially install persistent malicious head unit firmware and execute arbitrary code as the root user.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Subaru ≫ Starlink 2017 Firmware Version-

Subaru ≫ Starlink 2017 Version-

Subaru ≫ Starlink 2018 Firmware Version-

Subaru ≫ Starlink 2018 Version-

Subaru ≫ Starlink 2019 Firmware Version-

Subaru ≫ Starlink 2019 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.02

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.4	0.5	5.9	CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.9	3.4	10	AV:L/AC:M/Au:N/C:C/I:C/A:C

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://github.com/sgayou/subaru_starlink_research

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2018-18203

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-18203

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-18203

EUVD