First published: Fri Mar 02 2018(Updated: )
This vulnerability allows adjacent attackers to inject arbitrary Controller Area Network messages on vulnerable installations of Volkswagen Customer-Link App 1.30 and HTC Customer-Link Bridge. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Customer-Link App and Customer-Link Bridge. The issue results from the lack of a proper protection mechanism against unauthorized firmware updates. An attacker can leverage this vulnerability to inject CAN messages. Was ZDI-CAN-5264.
Credit: zdi-disclosures@trendmicro.com
Affected Software | Affected Version | How to fix |
---|---|---|
HTC Customer-Link Bridge | ||
Volkswagen Customer-Link | =1.30 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2018-1170 is high with a CVSS score of 8.8.
Vulnerable installations of Volkswagen Customer-Link App 1.30 and HTC Customer-Link Bridge are affected by CVE-2018-1170.
The specific flaw within CVE-2018-1170 allows adjacent attackers to inject arbitrary Controller Area Network (CAN) messages.
No, authentication is not required to exploit CVE-2018-1170.
Currently, there is no known fix or patch for CVE-2018-1170. It is recommended to follow the vendor's security advisories for any updates or mitigation steps.