VAR-201508-0607
Vulnerability from variot - Updated: 2025-04-12 23:15Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server. Mobile Devices C4 OBD2 dongle, and potentially other rebranded devices, contains multiple vulnerabilities. ** Unsettled ** This case has not been confirmed as a vulnerability. The vendor is (1) This is for developers / This is a bug in the debugging device. 3 It has been corrected a year ago. Local connection is enabled in the developer version (2) This problem, SMS Is valid, or 3 It only occurs with older software older than a year. " Supplementary information : CWE Vulnerability type by CWE-345: Insufficient Verification of Data Authenticity ( Inadequate verification of data reliability ) Has been identified. http://cwe.mitre.org/data/definitions/345.htmlArbitrary code may be executed by a third party by specifying the update server. Metromile Pulse (formerly known as Metronome) is a set of auto insurance business software from Metromile Company in the United States that reads the mileage of the vehicle through OBD2 (on-board diagnostic system) and charges according to the mileage. The software supports mobile network and built-in GPS, and retrieves lost vehicles through positioning
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201508-0607",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "c4 obd-ii dongle",
"scope": "lte",
"trust": 1.0,
"vendor": "mobile devices",
"version": "3.4"
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "metromile",
"version": null
},
{
"model": null,
"scope": null,
"trust": 0.8,
"vendor": "mobile devices",
"version": null
},
{
"model": "c4 obd2 dongle",
"scope": "eq",
"trust": 0.8,
"vendor": "mobile devices",
"version": "2.x"
},
{
"model": "c4 obd2 dongle",
"scope": "eq",
"trust": 0.8,
"vendor": "mobile devices",
"version": "3.4.x"
},
{
"model": "c4 obd-ii dongle",
"scope": "eq",
"trust": 0.6,
"vendor": "mobile devices",
"version": "3.4"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004408"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-498"
},
{
"db": "NVD",
"id": "CVE-2015-2908"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:mobile_devices:c4_obd-ii_dongle_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-004408"
}
]
},
"cve": "CVE-2015-2908",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "CVE-2015-2908",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 8.0,
"id": "VHN-80869",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2015-2908",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2015-2908",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201508-498",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-80869",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-80869"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004408"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-498"
},
{
"db": "NVD",
"id": "CVE-2015-2908"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server. Mobile Devices C4 OBD2 dongle, and potentially other rebranded devices, contains multiple vulnerabilities. ** Unsettled ** This case has not been confirmed as a vulnerability. The vendor is (1) This is for developers / This is a bug in the debugging device. 3 It has been corrected a year ago. Local connection is enabled in the developer version (2) This problem, SMS Is valid, or 3 It only occurs with older software older than a year. \" Supplementary information : CWE Vulnerability type by CWE-345: Insufficient Verification of Data Authenticity ( Inadequate verification of data reliability ) Has been identified. http://cwe.mitre.org/data/definitions/345.htmlArbitrary code may be executed by a third party by specifying the update server. Metromile Pulse (formerly known as Metronome) is a set of auto insurance business software from Metromile Company in the United States that reads the mileage of the vehicle through OBD2 (on-board diagnostic system) and charges according to the mileage. The software supports mobile network and built-in GPS, and retrieves lost vehicles through positioning",
"sources": [
{
"db": "NVD",
"id": "CVE-2015-2908"
},
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004408"
},
{
"db": "VULHUB",
"id": "VHN-80869"
}
],
"trust": 2.43
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#209512",
"trust": 3.3
},
{
"db": "NVD",
"id": "CVE-2015-2908",
"trust": 2.5
},
{
"db": "JVN",
"id": "JVNVU93910224",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004408",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201508-498",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-80869",
"trust": 0.1
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "VULHUB",
"id": "VHN-80869"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004408"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-498"
},
{
"db": "NVD",
"id": "CVE-2015-2908"
}
]
},
"id": "VAR-201508-0607",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-80869"
}
],
"trust": 0.01
},
"last_update_date": "2025-04-12T23:15:39.194000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "C4 OBD2 Dongle",
"trust": 0.8,
"url": "http://www.mobile-devices.com/our-products/c4-obd2-dongle/"
},
{
"title": "Mobile Devices Ingenierie C4 OBD2 Dongle Fixes for arbitrary code execution vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=227306"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2015-004408"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-498"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-345",
"trust": 1.1
},
{
"problemtype": "CWE-Other",
"trust": 0.8
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-80869"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004408"
},
{
"db": "NVD",
"id": "CVE-2015-2908"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 3.3,
"url": "https://www.usenix.org/conference/woot15/workshop-program/presentation/foster"
},
{
"trust": 2.5,
"url": "http://www.kb.cert.org/vuls/id/209512"
},
{
"trust": 0.8,
"url": "http://www.mobile-devices.com/our-products/c4-obd2-dongle/"
},
{
"trust": 0.8,
"url": "http://illmatics.com/car_hacking.pdf"
},
{
"trust": 0.8,
"url": "http://www.autosec.org/pubs/cars-usenixsec2011.pdf"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2908"
},
{
"trust": 0.8,
"url": "http://jvn.jp/vu/jvnvu93910224/"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2908"
},
{
"trust": 0.8,
"url": "http://www.kb.cert.org/vuls/id/ckig-9zaqgx"
}
],
"sources": [
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "VULHUB",
"id": "VHN-80869"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004408"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-498"
},
{
"db": "NVD",
"id": "CVE-2015-2908"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CERT/CC",
"id": "VU#209512"
},
{
"db": "VULHUB",
"id": "VHN-80869"
},
{
"db": "JVNDB",
"id": "JVNDB-2015-004408"
},
{
"db": "CNNVD",
"id": "CNNVD-201508-498"
},
{
"db": "NVD",
"id": "CVE-2015-2908"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-08-11T00:00:00",
"db": "CERT/CC",
"id": "VU#209512"
},
{
"date": "2015-08-23T00:00:00",
"db": "VULHUB",
"id": "VHN-80869"
},
{
"date": "2015-08-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-004408"
},
{
"date": "2015-08-24T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201508-498"
},
{
"date": "2015-08-23T21:59:05.217000",
"db": "NVD",
"id": "CVE-2015-2908"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-08-28T00:00:00",
"db": "CERT/CC",
"id": "VU#209512"
},
{
"date": "2023-03-01T00:00:00",
"db": "VULHUB",
"id": "VHN-80869"
},
{
"date": "2015-08-26T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2015-004408"
},
{
"date": "2023-03-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201508-498"
},
{
"date": "2025-04-12T10:46:40.837000",
"db": "NVD",
"id": "CVE-2015-2908"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201508-498"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities",
"sources": [
{
"db": "CERT/CC",
"id": "VU#209512"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "data forgery",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201508-498"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…