Vulnerability-Lookup

CVE-2015-2908 (GCVE-0-2015-2908)

Vulnerability from cvelistv5 – Published: 2015-08-23 21:00 – Updated: 2024-08-06 05:32

Summary

Severity ?

No CVSS data available.

CWE

Assigner

certcc

References

URL

	Vendor	Product	Version
	Munic	Mobile Devices (MDI) OBD-II dongles	Affected: 0 , < 2.x (custom) Affected: 0 , < 3.4.x (custom)

CNVD-2015-05629

Vulnerability from cnvd - Published: 2015-08-27

Title

Mobile Devices C4 OBD2 Dongle任意代码执行漏洞

Description

Mobile Devices（又名MDI）C4 OBD2 Dongle是法国Mobile Devices公司的一套可编程OBD2解决方案。 Mobile Devices C4 OBD2 Dongle中存在安全漏洞，该漏洞源于程序未能验证固件更新。远程攻击者可通过指定更新服务器利用该漏洞执行任意代码。

Severity

高

Patch Name

Mobile Devices C4 OBD2 Dongle任意代码执行漏洞的补丁

Patch Description

Mobile Devices（又名MDI）C4 OBD2 Dongle是法国Mobile Devices公司的一套可编程OBD2解决方案。Mobile Devices C4 OBD2 Dongle中存在安全漏洞，该漏洞源于程序未能验证固件更新。远程攻击者可通过指定更新服务器利用该漏洞执行任意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，详情请关注厂商主页： http://www.mobile-devices.com/

Reference

http://www.kb.cert.org/vuls/id/209512

Impacted products

Name
['Mobile Devices C4 OBD-II dongles with firmware 2.x', 'Mobile Devices C4 OBD-II dongles with firmware 3.4.x']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-2908"
    }
  },
  "description": "Mobile Devices\uff08\u53c8\u540dMDI\uff09C4 OBD2 Dongle\u662f\u6cd5\u56fdMobile Devices\u516c\u53f8\u7684\u4e00\u5957\u53ef\u7f16\u7a0bOBD2\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nMobile Devices C4 OBD2 Dongle\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u9a8c\u8bc1\u56fa\u4ef6\u66f4\u65b0\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u6307\u5b9a\u66f4\u65b0\u670d\u52a1\u5668\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "discovererName": "Ian Foster",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttp://www.mobile-devices.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-05629",
  "openTime": "2015-08-27",
  "patchDescription": "Mobile Devices\uff08\u53c8\u540dMDI\uff09C4 OBD2 Dongle\u662f\u6cd5\u56fdMobile Devices\u516c\u53f8\u7684\u4e00\u5957\u53ef\u7f16\u7a0bOBD2\u89e3\u51b3\u65b9\u6848\u3002Mobile Devices C4 OBD2 Dongle\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u9a8c\u8bc1\u56fa\u4ef6\u66f4\u65b0\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u6307\u5b9a\u66f4\u65b0\u670d\u52a1\u5668\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Mobile Devices C4 OBD2 Dongle\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Mobile Devices C4 OBD-II dongles with firmware 2.x",
      "Mobile Devices C4 OBD-II dongles with firmware 3.4.x"
    ]
  },
  "referenceLink": "http://www.kb.cert.org/vuls/id/209512",
  "serverity": "\u9ad8",
  "submitTime": "2015-08-25",
  "title": "Mobile Devices C4 OBD2 Dongle\u4efb\u610f\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

VAR-201508-0607

Vulnerability from variot - Updated: 2025-04-12 23:15

Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server. Mobile Devices C4 OBD2 dongle, and potentially other rebranded devices, contains multiple vulnerabilities. ** Unsettled ** This case has not been confirmed as a vulnerability. The vendor is (1) This is for developers / This is a bug in the debugging device. 3 It has been corrected a year ago. Local connection is enabled in the developer version (2) This problem, SMS Is valid, or 3 It only occurs with older software older than a year. " Supplementary information : CWE Vulnerability type by CWE-345: Insufficient Verification of Data Authenticity ( Inadequate verification of data reliability ) Has been identified. http://cwe.mitre.org/data/definitions/345.htmlArbitrary code may be executed by a third party by specifying the update server. Metromile Pulse (formerly known as Metronome) is a set of auto insurance business software from Metromile Company in the United States that reads the mileage of the vehicle through OBD2 (on-board diagnostic system) and charges according to the mileage. The software supports mobile network and built-in GPS, and retrieves lost vehicles through positioning

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201508-0607",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "c4 obd-ii dongle",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "mobile devices",
        "version": "3.4"
      },
      {
        "model": null,
        "scope": null,
        "trust": 0.8,
        "vendor": "metromile",
        "version": null
      },
      {
        "model": null,
        "scope": null,
        "trust": 0.8,
        "vendor": "mobile devices",
        "version": null
      },
      {
        "model": "c4 obd2 dongle",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "mobile devices",
        "version": "2.x"
      },
      {
        "model": "c4 obd2 dongle",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "mobile devices",
        "version": "3.4.x"
      },
      {
        "model": "c4 obd-ii dongle",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "mobile devices",
        "version": "3.4"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#209512"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004408"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201508-498"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-2908"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/o:mobile_devices:c4_obd-ii_dongle_firmware",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004408"
      }
    ]
  },
  "cve": "CVE-2015-2908",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "id": "CVE-2015-2908",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 1.8,
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 8.0,
            "id": "VHN-80869",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2015-2908",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2015-2908",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201508-498",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-80869",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-80869"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004408"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201508-498"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-2908"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server. Mobile Devices C4 OBD2 dongle, and potentially other rebranded devices, contains multiple vulnerabilities. ** Unsettled ** This case has not been confirmed as a vulnerability. The vendor is (1) This is for developers / This is a bug in the debugging device. 3 It has been corrected a year ago. Local connection is enabled in the developer version (2) This problem, SMS Is valid, or 3 It only occurs with older software older than a year. \" Supplementary information : CWE Vulnerability type by CWE-345: Insufficient Verification of Data Authenticity ( Inadequate verification of data reliability ) Has been identified. http://cwe.mitre.org/data/definitions/345.htmlArbitrary code may be executed by a third party by specifying the update server. Metromile Pulse (formerly known as Metronome) is a set of auto insurance business software from Metromile Company in the United States that reads the mileage of the vehicle through OBD2 (on-board diagnostic system) and charges according to the mileage. The software supports mobile network and built-in GPS, and retrieves lost vehicles through positioning",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2015-2908"
      },
      {
        "db": "CERT/CC",
        "id": "VU#209512"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004408"
      },
      {
        "db": "VULHUB",
        "id": "VHN-80869"
      }
    ],
    "trust": 2.43
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "CERT/CC",
        "id": "VU#209512",
        "trust": 3.3
      },
      {
        "db": "NVD",
        "id": "CVE-2015-2908",
        "trust": 2.5
      },
      {
        "db": "JVN",
        "id": "JVNVU93910224",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004408",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201508-498",
        "trust": 0.7
      },
      {
        "db": "VULHUB",
        "id": "VHN-80869",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#209512"
      },
      {
        "db": "VULHUB",
        "id": "VHN-80869"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004408"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201508-498"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-2908"
      }
    ]
  },
  "id": "VAR-201508-0607",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-80869"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2025-04-12T23:15:39.194000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "C4 OBD2 Dongle",
        "trust": 0.8,
        "url": "http://www.mobile-devices.com/our-products/c4-obd2-dongle/"
      },
      {
        "title": "Mobile Devices Ingenierie C4 OBD2 Dongle Fixes for arbitrary code execution vulnerabilities",
        "trust": 0.6,
        "url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=227306"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004408"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201508-498"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-345",
        "trust": 1.1
      },
      {
        "problemtype": "CWE-Other",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-80869"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004408"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-2908"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 3.3,
        "url": "https://www.usenix.org/conference/woot15/workshop-program/presentation/foster"
      },
      {
        "trust": 2.5,
        "url": "http://www.kb.cert.org/vuls/id/209512"
      },
      {
        "trust": 0.8,
        "url": "http://www.mobile-devices.com/our-products/c4-obd2-dongle/"
      },
      {
        "trust": 0.8,
        "url": "http://illmatics.com/car_hacking.pdf"
      },
      {
        "trust": 0.8,
        "url": "http://www.autosec.org/pubs/cars-usenixsec2011.pdf"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2908"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/vu/jvnvu93910224/"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2908"
      },
      {
        "trust": 0.8,
        "url": "http://www.kb.cert.org/vuls/id/ckig-9zaqgx"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#209512"
      },
      {
        "db": "VULHUB",
        "id": "VHN-80869"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004408"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201508-498"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-2908"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CERT/CC",
        "id": "VU#209512"
      },
      {
        "db": "VULHUB",
        "id": "VHN-80869"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-004408"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201508-498"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-2908"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2015-08-11T00:00:00",
        "db": "CERT/CC",
        "id": "VU#209512"
      },
      {
        "date": "2015-08-23T00:00:00",
        "db": "VULHUB",
        "id": "VHN-80869"
      },
      {
        "date": "2015-08-26T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2015-004408"
      },
      {
        "date": "2015-08-24T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201508-498"
      },
      {
        "date": "2015-08-23T21:59:05.217000",
        "db": "NVD",
        "id": "CVE-2015-2908"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2015-08-28T00:00:00",
        "db": "CERT/CC",
        "id": "VU#209512"
      },
      {
        "date": "2023-03-01T00:00:00",
        "db": "VULHUB",
        "id": "VHN-80869"
      },
      {
        "date": "2015-08-26T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2015-004408"
      },
      {
        "date": "2023-03-03T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201508-498"
      },
      {
        "date": "2025-04-12T10:46:40.837000",
        "db": "NVD",
        "id": "CVE-2015-2908"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201508-498"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities",
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#209512"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "data forgery",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201508-498"
      }
    ],
    "trust": 0.6
  }
}

FKIE_CVE-2015-2908

Vulnerability from fkie_nvd - Published: 2015-08-23 21:59 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
cret@cert.org	http://www.kb.cert.org/vuls/id/209512	Third Party Advisory, US Government Resource
cret@cert.org	https://www.usenix.org/conference/woot15/workshop-program/presentation/foster
af854a3a-2127-422b-91ae-364da2661108	http://www.kb.cert.org/vuls/id/209512	Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.usenix.org/conference/woot15/workshop-program/presentation/foster

Impacted products

	Vendor	Product	Version
	mobile_devices	c4_obd-ii_dongle_firmware	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:mobile_devices:c4_obd-ii_dongle_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "473D9308-AB22-4E49-89A9-DEF8CB2B8E1B",
              "versionEndIncluding": "3.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server."
    },
    {
      "lang": "es",
      "value": "** DISCUTIDA ** Vulnerabilidad en el dongle C4 OBD-II de Mobile Devices (tambi\u00e9n conocido como MDI) con firmware 2.x y 3.4.x, tal como se utiliza en Metromile Pulse y otros productos, no valida las actualizaciones del firmware, lo que permite a atacantes remotos ejecutar c\u00f3digo arbitrario especificando un servidor de actualizaci\u00f3n. NOTA: el vendedor afirma \u0027Esto fue un defecto en los dispositivos de desarrollador/depuraci\u00f3n y fue corregido en la versi\u00f3n de producci\u00f3n hace unos 3 a\u00f1os\u0027."
    }
  ],
  "id": "CVE-2015-2908",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.0,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2015-08-23T21:59:05.217",
  "references": [
    {
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/209512"
    },
    {
      "source": "cret@cert.org",
      "url": "https://www.usenix.org/conference/woot15/workshop-program/presentation/foster"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/209512"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.usenix.org/conference/woot15/workshop-program/presentation/foster"
    }
  ],
  "sourceIdentifier": "cret@cert.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-345"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-4X34-W43G-2CFC

Vulnerability from github – Published: 2022-05-17 04:09 – Updated: 2022-05-17 04:09

Details

** DISPUTED ** Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server. NOTE: the vendor states "This was a flaw for the developer/debugging devices, and was fixed in production version about 3 years ago."

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2015-2908"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-345"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-08-23T21:59:00Z",
    "severity": "HIGH"
  },
  "details": "** DISPUTED ** Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server.  NOTE: the vendor states \"This was a flaw for the developer/debugging devices, and was fixed in production version about 3 years ago.\"",
  "id": "GHSA-4x34-w43g-2cfc",
  "modified": "2022-05-17T04:09:22Z",
  "published": "2022-05-17T04:09:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2908"
    },
    {
      "type": "WEB",
      "url": "https://www.usenix.org/conference/woot15/workshop-program/presentation/foster"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/209512"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/CKIG-9ZAQGX"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2015-2908

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2015-2908

Aliases

CVE-2015-2908

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2015-2908",
    "description": "** DISPUTED ** Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server.  NOTE: the vendor states \"This was a flaw for the developer/debugging devices, and was fixed in production version about 3 years ago.\"",
    "id": "GSD-2015-2908",
    "references": [
      "https://www.suse.com/security/cve/CVE-2015-2908.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2015-2908"
      ],
      "details": "Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server.",
      "id": "GSD-2015-2908",
      "modified": "2023-12-13T01:20:00.037064Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cert@cert.org",
        "ID": "CVE-2015-2908",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Mobile Devices (MDI) OBD-II dongles",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "2.x"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Munic "
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server."
          }
        ]
      },
      "generator": {
        "engine": "cveClient/1.0.13"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.usenix.org/conference/woot15/workshop-program/presentation/foster",
            "refsource": "MISC",
            "url": "https://www.usenix.org/conference/woot15/workshop-program/presentation/foster"
          },
          {
            "name": "http://www.kb.cert.org/vuls/id/209512",
            "refsource": "MISC",
            "url": "http://www.kb.cert.org/vuls/id/209512"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:mobile_devices:c4_obd-ii_dongle_firmware:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.4",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cert@cert.org",
          "ID": "CVE-2015-2908"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-345"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.usenix.org/conference/woot15/workshop-program/presentation/foster",
              "refsource": "MISC",
              "tags": [],
              "url": "https://www.usenix.org/conference/woot15/workshop-program/presentation/foster"
            },
            {
              "name": "VU#209512",
              "refsource": "CERT-VN",
              "tags": [
                "Third Party Advisory",
                "US Government Resource"
              ],
              "url": "http://www.kb.cert.org/vuls/id/209512"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2023-03-01T08:15Z",
      "publishedDate": "2015-08-23T21:59Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2015-2908 (GCVE-0-2015-2908)

CNVD-2015-05629

VAR-201508-0607

FKIE_CVE-2015-2908

GHSA-4X34-W43G-2CFC

GSD-2015-2908

Tags

Sightings

Nomenclature