cnvd - cnvd-2018-00882

CNVD-2018-00882

Vulnerability from cnvd - Published: 2018-01-15

Title

General Motors和Shanghai OnStar iOS Client中间人攻击漏洞

Description

General Motors（GM）和Shanghai OnStar（SOS）iOS Client是一款基于iOS平台的在机动车发生碰撞时为驾驶员拨打SOS求救电话的应用程序。 GM和SOS iOS Client 7.1版本中存在安全漏洞。当客户端连接到服务器时，攻击者可利用该漏洞实施中间人攻击，拦截敏感信息。

Severity

高

Patch Name

General Motors和Shanghai OnStar iOS Client中间人攻击漏洞的补丁

Patch Description

General Motors（GM）和Shanghai OnStar（SOS）iOS Client是一款基于iOS平台的在机动车发生碰撞时为驾驶员拨打SOS求救电话的应用程序。 GM和SOS iOS Client 7.1版本中存在安全漏洞。当客户端连接到服务器时，攻击者可利用该漏洞实施中间人攻击，拦截敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可联系供应商获得补丁信息： http://www.vauxhall.co.uk/onstar/index.html

Reference

https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04 https://www.securityfocus.com/bid/102481

Impacted products

Name
General MotorsGM Shanghai OnStarSOSiOS Client 7.1

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "102481"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-12697"
    }
  },
  "description": "General Motors\uff08GM\uff09\u548cShanghai OnStar\uff08SOS\uff09iOS Client\u662f\u4e00\u6b3e\u57fa\u4e8eiOS\u5e73\u53f0\u7684\u5728\u673a\u52a8\u8f66\u53d1\u751f\u78b0\u649e\u65f6\u4e3a\u9a7e\u9a76\u5458\u62e8\u6253SOS\u6c42\u6551\u7535\u8bdd\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nGM\u548cSOS iOS Client 7.1\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u5f53\u5ba2\u6237\u7aef\u8fde\u63a5\u5230\u670d\u52a1\u5668\u65f6\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u65bd\u4e2d\u95f4\u4eba\u653b\u51fb\uff0c\u62e6\u622a\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "Charles Gans",
  "formalWay": "\u7528\u6237\u53ef\u8054\u7cfb\u4f9b\u5e94\u5546\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttp://www.vauxhall.co.uk/onstar/index.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-00882",
  "openTime": "2018-01-15",
  "patchDescription": "General Motors\uff08GM\uff09\u548cShanghai OnStar\uff08SOS\uff09iOS Client\u662f\u4e00\u6b3e\u57fa\u4e8eiOS\u5e73\u53f0\u7684\u5728\u673a\u52a8\u8f66\u53d1\u751f\u78b0\u649e\u65f6\u4e3a\u9a7e\u9a76\u5458\u62e8\u6253SOS\u6c42\u6551\u7535\u8bdd\u7684\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nGM\u548cSOS iOS Client 7.1\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u5f53\u5ba2\u6237\u7aef\u8fde\u63a5\u5230\u670d\u52a1\u5668\u65f6\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u65bd\u4e2d\u95f4\u4eba\u653b\u51fb\uff0c\u62e6\u622a\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "General Motors\u548cShanghai OnStar iOS Client\u4e2d\u95f4\u4eba\u653b\u51fb\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "General MotorsGM Shanghai OnStarSOSiOS Client 7.1"
  },
  "referenceLink": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04\r\nhttps://www.securityfocus.com/bid/102481",
  "serverity": "\u9ad8",
  "submitTime": "2018-01-11",
  "title": "General Motors\u548cShanghai OnStar iOS Client\u4e2d\u95f4\u4eba\u653b\u51fb\u6f0f\u6d1e"
}

CVE-2017-12697 (GCVE-0-2017-12697)

Vulnerability from cvelistv5 – Published: 2018-01-09 21:00 – Updated: 2024-08-05 18:43

Summary

A Man-in-the-Middle issue was discovered in General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client 7.1. Successful exploitation of this vulnerability may allow an attacker to intercept sensitive information when the client connects to the server.

Severity ?

No CVSS data available.

CWE

CWE-300

Assigner

icscert

References

URL

Tags

	https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04	x_refsource_MISC
	http://www.securityfocus.com/bid/102481	vdb-entryx_refsource_BID

Impacted products

	Vendor	Product	Version
	n/a	General Motors and Shanghai OnStar (SOS) iOS Client	Affected: General Motors and Shanghai OnStar (SOS) iOS Client

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T18:43:56.540Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04"
          },
          {
            "name": "102481",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/102481"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "General Motors and Shanghai OnStar (SOS) iOS Client",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "General Motors and Shanghai OnStar (SOS) iOS Client"
            }
          ]
        }
      ],
      "datePublic": "2018-01-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A Man-in-the-Middle issue was discovered in General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client 7.1. Successful exploitation of this vulnerability may allow an attacker to intercept sensitive information when the client connects to the server."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-300",
              "description": "CWE-300",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-01-12T10:57:01",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04"
        },
        {
          "name": "102481",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/102481"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2017-12697",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "General Motors and Shanghai OnStar (SOS) iOS Client",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "General Motors and Shanghai OnStar (SOS) iOS Client"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Man-in-the-Middle issue was discovered in General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client 7.1. Successful exploitation of this vulnerability may allow an attacker to intercept sensitive information when the client connects to the server."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-300"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-234-04"
            },
            {
              "name": "102481",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/102481"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2017-12697",
    "datePublished": "2018-01-09T21:00:00",
    "dateReserved": "2017-08-09T00:00:00",
    "dateUpdated": "2024-08-05T18:43:56.540Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2018-00882

CVE-2017-12697 (GCVE-0-2017-12697)

Tags

Sightings

Nomenclature