cnvd - cnvd-2016-12276

CNVD-2016-12276

Vulnerability from cnvd - Published: 2016-12-15

Title

Tesla Motors Gateway ECU命令注入漏洞

Description

Tesla Motors Gateway ECU是一套用于管理汽车和提供驾驶功能的固件。 Tesla Motors Gateway ECU固件处理更新存在安全漏洞，允许远程攻击者可利用该漏洞提交恶意的更新，注入任意命令。

Severity

高

Patch Name

Tesla Motors Gateway ECU命令注入漏洞的补丁

Patch Description

Tesla Motors Gateway ECU是一套用于管理汽车和提供驾驶功能的固件。 Tesla Motors Gateway ECU固件处理更新存在安全漏洞，允许远程攻击者可利用该漏洞提交恶意的更新，注入任意命令。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： https://www.tesla.com/

Reference

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9337 https://ics-cert.us-cert.gov/advisories/ICSA-16-341-01

Impacted products

Name
Tesla Gateway ECU 0

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "94697"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-9337"
    }
  },
  "description": "Tesla Motors Gateway ECU\u662f\u4e00\u5957\u7528\u4e8e\u7ba1\u7406\u6c7d\u8f66\u548c\u63d0\u4f9b\u9a7e\u9a76\u529f\u80fd\u7684\u56fa\u4ef6\u3002\r\n\r\nTesla Motors Gateway ECU\u56fa\u4ef6\u5904\u7406\u66f4\u65b0\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u6076\u610f\u7684\u66f4\u65b0\uff0c\u6ce8\u5165\u4efb\u610f\u547d\u4ee4\u3002",
  "discovererName": "Tencent\u00e2??s Keen Security Lab",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttps://www.tesla.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-12276",
  "openTime": "2016-12-15",
  "patchDescription": "Tesla Motors Gateway ECU\u662f\u4e00\u5957\u7528\u4e8e\u7ba1\u7406\u6c7d\u8f66\u548c\u63d0\u4f9b\u9a7e\u9a76\u529f\u80fd\u7684\u56fa\u4ef6\u3002\r\n\r\nTesla Motors Gateway ECU\u56fa\u4ef6\u5904\u7406\u66f4\u65b0\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u6076\u610f\u7684\u66f4\u65b0\uff0c\u6ce8\u5165\u4efb\u610f\u547d\u4ee4\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Tesla Motors Gateway ECU\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Tesla Gateway ECU 0"
  },
  "referenceLink": "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9337\r\nhttps://ics-cert.us-cert.gov/advisories/ICSA-16-341-01",
  "serverity": "\u9ad8",
  "submitTime": "2016-12-09",
  "title": "Tesla Motors Gateway ECU\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2016-9337 (GCVE-0-2016-9337)

Vulnerability from cvelistv5 – Published: 2017-02-13 21:00 – Updated: 2024-08-06 02:50

Summary

An issue was discovered in Tesla Motors Model S automobile, all firmware versions before version 7.1 (2.36.31) with web browser functionality enabled. The vehicle's Gateway ECU is susceptible to commands that may allow an attacker to install malicious software allowing the attacker to send messages to the vehicle's CAN bus, a Command Injection.

Severity ?

No CVSS data available.

CWE

Tesla Gateway ECU Command Injection

Assigner

icscert

References

URL

Tags

	http://www.securityfocus.com/bid/94697	vdb-entryx_refsource_BID
	https://ics-cert.us-cert.gov/advisories/ICSA-16-341-01	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	Tesla Gateway ECU on Model S automobile	Affected: Tesla Gateway ECU on Model S automobile

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T02:50:37.047Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "94697",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/94697"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-341-01"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Tesla Gateway ECU on Model S automobile",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Tesla Gateway ECU on Model S automobile"
            }
          ]
        }
      ],
      "datePublic": "2017-02-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Tesla Motors Model S automobile, all firmware versions before version 7.1 (2.36.31) with web browser functionality enabled. The vehicle\u0027s Gateway ECU is susceptible to commands that may allow an attacker to install malicious software allowing the attacker to send messages to the vehicle\u0027s CAN bus, a Command Injection."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Tesla Gateway ECU Command Injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-02-14T10:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "name": "94697",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/94697"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-341-01"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2016-9337",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Tesla Gateway ECU on Model S automobile",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Tesla Gateway ECU on Model S automobile"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Tesla Motors Model S automobile, all firmware versions before version 7.1 (2.36.31) with web browser functionality enabled. The vehicle\u0027s Gateway ECU is susceptible to commands that may allow an attacker to install malicious software allowing the attacker to send messages to the vehicle\u0027s CAN bus, a Command Injection."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Tesla Gateway ECU Command Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "94697",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/94697"
            },
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-16-341-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-341-01"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2016-9337",
    "datePublished": "2017-02-13T21:00:00",
    "dateReserved": "2016-11-16T00:00:00",
    "dateUpdated": "2024-08-06T02:50:37.047Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2016-12276

CVE-2016-9337 (GCVE-0-2016-9337)

Tags

Sightings

Nomenclature