cnvd - cnvd-2015-04969

CNVD-2015-04969

Vulnerability from cnvd - Published: 2015-07-28

Title

Fiat Chrysler Automobiles Uconnect远程权限提升漏洞

Description

Fiat Chrysler Automobiles Uconnect是美国菲亚特克莱斯勒汽车（Fiat Chrysler Automobiles，FCA）公司的一套车载信息系统。 Fiat Chrysler Automobiles Uconnect 15.26.1存在未明漏洞。在相同移动网络中的远程攻击者可通过修改entertainment-system固件和使用CAN总线利用该漏洞控制车辆移动，造成人类伤害或物理伤害，或修改仪表盘设置。

Severity

高

Formal description

目前厂商还没有提出此漏洞的相关补丁或升级程序，建议使用此软件的用户随时关注厂商的主页以获得最新版本： http://www.fcagroup.com

Reference

https://www.youtube.com/watch?v=MK0SrxBC1xs&feature=youtu.be

Impacted products

Name
Fiat Chrysler Automobiles Uconnect 15.26.1

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "75993"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-5611"
    }
  },
  "description": "Fiat Chrysler Automobiles Uconnect\u662f\u7f8e\u56fd\u83f2\u4e9a\u7279\u514b\u83b1\u65af\u52d2\u6c7d\u8f66\uff08Fiat Chrysler Automobiles\uff0cFCA\uff09\u516c\u53f8\u7684\u4e00\u5957\u8f66\u8f7d\u4fe1\u606f\u7cfb\u7edf\u3002\r\n\r\nFiat Chrysler Automobiles Uconnect 15.26.1\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u3002\u5728\u76f8\u540c\u79fb\u52a8\u7f51\u7edc\u4e2d\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u4fee\u6539entertainment-system\u56fa\u4ef6\u548c\u4f7f\u7528CAN\u603b\u7ebf\u5229\u7528\u8be5\u6f0f\u6d1e\u63a7\u5236\u8f66\u8f86\u79fb\u52a8\uff0c\u9020\u6210\u4eba\u7c7b\u4f24\u5bb3\u6216\u7269\u7406\u4f24\u5bb3\uff0c\u6216\u4fee\u6539\u4eea\u8868\u76d8\u8bbe\u7f6e\u3002",
  "discovererName": "Charlie Miller and Chris Valasek",
  "formalWay": "\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u51fa\u6b64\u6f0f\u6d1e\u7684\u76f8\u5173\u8865\u4e01\u6216\u5347\u7ea7\u7a0b\u5e8f\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u5f97\u6700\u65b0\u7248\u672c\uff1a\r\nhttp://www.fcagroup.com",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-04969",
  "openTime": "2015-07-28",
  "products": {
    "product": "Fiat Chrysler Automobiles Uconnect 15.26.1"
  },
  "referenceLink": "https://www.youtube.com/watch?v=MK0SrxBC1xs\u0026feature=youtu.be",
  "serverity": "\u9ad8",
  "submitTime": "2015-07-23",
  "title": "Fiat Chrysler Automobiles Uconnect\u8fdc\u7a0b\u6743\u9650\u63d0\u5347\u6f0f\u6d1e"
}

CVE-2015-5611 (GCVE-0-2015-5611)

Vulnerability from cvelistv5 – Published: 2015-07-21 18:00 – Updated: 2024-08-06 06:59

Summary

Unspecified vulnerability in Uconnect before 15.26.1, as used in certain Fiat Chrysler Automobiles (FCA) from 2013 to 2015 models, allows remote attackers in the same cellular network to control vehicle movement, cause human harm or physical damage, or modify dashboard settings via vectors related to modification of entertainment-system firmware and access of the CAN bus due to insufficient "Radio security protection," as demonstrated on a 2014 Jeep Cherokee Limited FWD.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://www.securityfocus.com/bid/75993	vdb-entryx_refsource_BID
	https://twitter.com/0xcharlie/status/623171594349842433	x_refsource_MISC
	http://www.wired.com/2015/07/hackers-remotely-kil…	x_refsource_MISC
	http://media.fcanorthamerica.com/newsrelease.do?i…	x_refsource_MISC
	https://ics-cert.us-cert.gov/advisories/ICSA-15-260-01	x_refsource_MISC
	http://blog.fcanorthamerica.com/2015/07/22/unhack…	x_refsource_CONFIRM
	http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/downlo…	x_refsource_MISC
	https://twitter.com/0xcharlie/status/623258479730552832	x_refsource_MISC
	https://twitter.com/0xcharlie/status/623195051296993280	x_refsource_MISC
	https://www.youtube.com/watch?v=MK0SrxBC1xs&featu…	x_refsource_MISC
	http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/downlo…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T06:59:03.285Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "75993",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/75993"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://twitter.com/0xcharlie/status/623171594349842433"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://media.fcanorthamerica.com/newsrelease.do?id=16827\u0026mid=1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-260-01"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://blog.fcanorthamerica.com/2015/07/22/unhacking-the-hacked-jeep/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM483033/RCAK-15V461-4967.pdf"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://twitter.com/0xcharlie/status/623258479730552832"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://twitter.com/0xcharlie/status/623195051296993280"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.youtube.com/watch?v=MK0SrxBC1xs\u0026feature=youtu.be"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM483036/RCLRPT-15V461-9407.pdf"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-07-16T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Unspecified vulnerability in Uconnect before 15.26.1, as used in certain Fiat Chrysler Automobiles (FCA) from 2013 to 2015 models, allows remote attackers in the same cellular network to control vehicle movement, cause human harm or physical damage, or modify dashboard settings via vectors related to modification of entertainment-system firmware and access of the CAN bus due to insufficient \"Radio security protection,\" as demonstrated on a 2014 Jeep Cherokee Limited FWD."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-22T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "75993",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/75993"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://twitter.com/0xcharlie/status/623171594349842433"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://media.fcanorthamerica.com/newsrelease.do?id=16827\u0026mid=1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-260-01"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://blog.fcanorthamerica.com/2015/07/22/unhacking-the-hacked-jeep/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM483033/RCAK-15V461-4967.pdf"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://twitter.com/0xcharlie/status/623258479730552832"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://twitter.com/0xcharlie/status/623195051296993280"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.youtube.com/watch?v=MK0SrxBC1xs\u0026feature=youtu.be"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM483036/RCLRPT-15V461-9407.pdf"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-5611",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Unspecified vulnerability in Uconnect before 15.26.1, as used in certain Fiat Chrysler Automobiles (FCA) from 2013 to 2015 models, allows remote attackers in the same cellular network to control vehicle movement, cause human harm or physical damage, or modify dashboard settings via vectors related to modification of entertainment-system firmware and access of the CAN bus due to insufficient \"Radio security protection,\" as demonstrated on a 2014 Jeep Cherokee Limited FWD."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "75993",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/75993"
            },
            {
              "name": "https://twitter.com/0xcharlie/status/623171594349842433",
              "refsource": "MISC",
              "url": "https://twitter.com/0xcharlie/status/623171594349842433"
            },
            {
              "name": "http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/",
              "refsource": "MISC",
              "url": "http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/"
            },
            {
              "name": "http://media.fcanorthamerica.com/newsrelease.do?id=16827\u0026mid=1",
              "refsource": "MISC",
              "url": "http://media.fcanorthamerica.com/newsrelease.do?id=16827\u0026mid=1"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-15-260-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-15-260-01"
            },
            {
              "name": "http://blog.fcanorthamerica.com/2015/07/22/unhacking-the-hacked-jeep/",
              "refsource": "CONFIRM",
              "url": "http://blog.fcanorthamerica.com/2015/07/22/unhacking-the-hacked-jeep/"
            },
            {
              "name": "http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM483033/RCAK-15V461-4967.pdf",
              "refsource": "MISC",
              "url": "http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM483033/RCAK-15V461-4967.pdf"
            },
            {
              "name": "https://twitter.com/0xcharlie/status/623258479730552832",
              "refsource": "MISC",
              "url": "https://twitter.com/0xcharlie/status/623258479730552832"
            },
            {
              "name": "https://twitter.com/0xcharlie/status/623195051296993280",
              "refsource": "MISC",
              "url": "https://twitter.com/0xcharlie/status/623195051296993280"
            },
            {
              "name": "https://www.youtube.com/watch?v=MK0SrxBC1xs\u0026feature=youtu.be",
              "refsource": "MISC",
              "url": "https://www.youtube.com/watch?v=MK0SrxBC1xs\u0026feature=youtu.be"
            },
            {
              "name": "http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM483036/RCLRPT-15V461-9407.pdf",
              "refsource": "MISC",
              "url": "http://www-odi.nhtsa.dot.gov/acms/cs/jaxrs/download/doc/UCM483036/RCLRPT-15V461-9407.pdf"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-5611",
    "datePublished": "2015-07-21T18:00:00",
    "dateReserved": "2015-07-21T00:00:00",
    "dateUpdated": "2024-08-06T06:59:03.285Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2015-04969

CVE-2015-5611 (GCVE-0-2015-5611)

Tags

Sightings

Nomenclature