1. EXECUTIVE SUMMARY
- CVSS v4 5.9
- ATTENTION: Exploitable from an adjacent network/low attack complexity
- Vendor: ZF
- Equipment: RSSPlus
- Vulnerability: Authentication Bypass By Primary Weakness
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely (proximal/adjacent with RF equipment) call diagnostic functions which could impact both the availability and integrity.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of RSSPlus are affected:
- RSSPlus 2M: build dates 01/08 through at least 01/23
3.2 VULNERABILITY OVERVIEW
3.2.1 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS CWE-305
The affected product is vulnerable to an authentication bypass vulnerability targeting deterministic RSSPlus SecurityAccess service seeds, which may allow an attacker to remotely (proximal/adjacent with RF equipment or via pivot from J2497 telematics devices) call diagnostic functions intended for workshop or repair scenarios. This can impact system availability, potentially degrading performance or erasing software, however the vehicle remains in a safe vehicle state.
CVE-2024-12054 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H).
A CVSS v4 score has also been calculated for CVE-2024-12054. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:H/A
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: