Advisory Details

February 27th, 2018

Volkswagen Customer-Link App Protection Mechanism Failure CAN Message Injection Vulnerability

ZDI-18-214
ZDI-CAN-5264

CVE ID CVE-2018-1170
CVSS SCORE 8.3, AV:A/AC:L/Au:N/C:C/I:C/A:C
AFFECTED VENDORS Volkswagen
AFFECTED PRODUCTS Customer-Link App
VULNERABILITY DETAILS


This vulnerability allows adjacent attackers to inject arbitrary Controller Area Network messages on vulnerable installations of Volkswagen Customer-Link App and HTC Customer-Link Bridge. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Customer-Link App and Customer-Link Bridge. The issue results from the lack of a proper protection mechanism against unauthorized firmware updates. An attacker can leverage this vulnerability to inject CAN messages.

ADDITIONAL DETAILS


Fixed in version 2.08
DISCLOSURE TIMELINE
  • 2017-10-18 - Vulnerability reported to vendor
  • 2018-02-27 - Coordinated public release of advisory
  • 2018-02-27 - Advisory Updated
CREDIT Aaron Luo
Spencer Hsieh (TrendMicro)
BACK TO ADVISORIES