cnvd - cnvd-2018-00881

CNVD-2018-00881

Vulnerability from cnvd - Published: 2018-01-15

Title

General Motors和Shanghai OnStar iOS Client未授权修改漏洞

Description

General Motors（GM）和Shanghai OnStar（SOS）iOS Client是一款基于iOS平台的在机动车发生碰撞时为驾驶员拨打SOS求救电话的应用程序。 GM和SOS iOS Client 7.1版本中存在未授权修改漏洞。攻击者可利用该漏洞破坏安全机制，重置用户账户密码。

Severity

高

Patch Name

General Motors和Shanghai OnStar iOS Client未授权修改漏洞的补丁

Patch Description

General Motors（GM）和Shanghai OnStar（SOS）iOS Client是一款基于iOS平台的在机动车发生碰撞时为驾驶员拨打SOS求救电话的应用程序。 GM和SOS iOS Client 7.1版本中存在未授权修改漏洞。攻击者可利用该漏洞破坏安全机制，重置用户账户密码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可联系供应商获得补丁信息： http://www.vauxhall.co.uk/onstar/index.html

Reference

https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04 https://www.securityfocus.com/bid/102481

Impacted products

Name
General MotorsGM Shanghai OnStarSOSiOS Client 7.1

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "102481"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-12695"
    }
  },
  "description": "General Motors\uff08GM\uff09\u548cShanghai OnStar\uff08SOS\uff09iOS Client\u662f\u4e00\u6b3e\u57fa\u4e8eiOS\u5e73\u53f0\u7684\u5728\u673a\u52a8\u8f66\u53d1\u751f\u78b0\u649e\u65f6\u4e3a\u9a7e\u9a76\u5458\u62e8\u6253SOS\u6c42\u6551\u7535\u8bdd\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nGM\u548cSOS iOS Client 7.1\u7248\u672c\u4e2d\u5b58\u5728\u672a\u6388\u6743\u4fee\u6539\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7834\u574f\u5b89\u5168\u673a\u5236\uff0c\u91cd\u7f6e\u7528\u6237\u8d26\u6237\u5bc6\u7801\u3002",
  "discovererName": "Charles Gans",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://www.vauxhall.co.uk/onstar/index.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-00881",
  "openTime": "2018-01-15",
  "patchDescription": "General Motors\uff08GM\uff09\u548cShanghai OnStar\uff08SOS\uff09iOS Client\u662f\u4e00\u6b3e\u57fa\u4e8eiOS\u5e73\u53f0\u7684\u5728\u673a\u52a8\u8f66\u53d1\u751f\u78b0\u649e\u65f6\u4e3a\u9a7e\u9a76\u5458\u62e8\u6253SOS\u6c42\u6551\u7535\u8bdd\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nGM\u548cSOS iOS Client 7.1\u7248\u672c\u4e2d\u5b58\u5728\u672a\u6388\u6743\u4fee\u6539\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7834\u574f\u5b89\u5168\u673a\u5236\uff0c\u91cd\u7f6e\u7528\u6237\u8d26\u6237\u5bc6\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "General Motors\u548cShanghai OnStar iOS Client\u672a\u6388\u6743\u4fee\u6539\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "General MotorsGM Shanghai OnStarSOSiOS Client 7.1"
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04\r\nhttps://www.securityfocus.com/bid/102481",
  "serverity": "\u9ad8",
  "submitTime": "2018-01-11",
  "title": "General Motors\u548cShanghai OnStar iOS Client\u672a\u6388\u6743\u4fee\u6539\u6f0f\u6d1e"
}

CVE-2017-12695 (GCVE-0-2017-12695)

Vulnerability from cvelistv5 – Published: 2018-01-09 21:00 – Updated: 2024-08-05 18:43

Summary

An Improper Authentication issue was discovered in General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client 7.1. Successful exploitation of this vulnerability may allow an attacker to subvert security mechanisms and reset a user account password.

Severity ?

No CVSS data available.

CWE

CWE-287

Assigner

icscert

References

URL

Tags

	https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04	x_refsource_MISC
	http://www.securityfocus.com/bid/102481	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	n/a	General Motors and Shanghai OnStar (SOS) iOS Client	Affected: General Motors and Shanghai OnStar (SOS) iOS Client

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:43:56.428Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04"
          },
          {
            "name": "102481",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/102481"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "General Motors and Shanghai OnStar (SOS) iOS Client",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "General Motors and Shanghai OnStar (SOS) iOS Client"
            }
          ]
        }
      ],
      "datePublic": "2018-01-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An Improper Authentication issue was discovered in General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client 7.1. Successful exploitation of this vulnerability may allow an attacker to subvert security mechanisms and reset a user account password."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-12T10:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04"
        },
        {
          "name": "102481",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/102481"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2017-12695",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "General Motors and Shanghai OnStar (SOS) iOS Client",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "General Motors and Shanghai OnStar (SOS) iOS Client"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An Improper Authentication issue was discovered in General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client 7.1. Successful exploitation of this vulnerability may allow an attacker to subvert security mechanisms and reset a user account password."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04"
            },
            {
              "name": "102481",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/102481"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2017-12695",
    "datePublished": "2018-01-09T21:00:00",
    "dateReserved": "2017-08-09T00:00:00",
    "dateUpdated": "2024-08-05T18:43:56.428Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-00881

CVE-2017-12695 (GCVE-0-2017-12695)

Tags

Sightings

Nomenclature