Insufficient Verification of Data Authenticity

CVE-2015-2908

High

9/10

Summary

Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server.

Access Complexity: LOW
AccessVector: NETWORK
Authentication: SINGLE
Integrity Impact: COMPLETE
Confidentiality Impact: COMPLETE
Availability Impact: COMPLETE

CWE-345 - Insufficient Verification of Data Authenticity

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References

Advisory Timeline

Published Aug 23, 2015

Insufficient Verification of Data Authenticity

CVE-2015-2908

Summary

CWE-345 - Insufficient Verification of Data Authenticity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS