Details of VAR-201508-0605

ID

VAR-201508-0605

CVE

CVE-2015-2906

TITLE

Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#209512

DESCRIPTION

Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, store SSH private keys that are the same across different customers' installations, which makes it easier for remote attackers to obtain access by leveraging knowledge of a private key from another installation. Mobile Devices C4 OBD2 dongle, and potentially other rebranded devices, contains multiple vulnerabilities. ** Unsettled ** This case has not been confirmed as a vulnerability. The vendor says, “This is for developers. / Due to a problem with the debugging device, it is not included in the device for general customers, but is fixed at the current release ( Invalidation ) Has been announced. " Supplementary information : CWE Vulnerability type by CWE-321: Use of Hard-coded Cryptographic Key ( Using hard-coded encryption keys ) Has been identified. http://cwe.mitre.org/data/definitions/321.htmlAn access right may be obtained by using a private key information from another installation by a third party. Metromile Pulse (formerly known as Metronome) is a set of auto insurance business software from Metromile Company in the United States that reads the mileage of the vehicle through OBD2 (on-board diagnostic system) and charges according to the mileage. The software supports mobile network and built-in GPS, and retrieves lost vehicles through positioning. The vulnerability stems from the fact that different user installers store the same private SSH key

Trust: 2.43

sources: NVD: CVE-2015-2906 // CERT/CC: VU#209512 // JVNDB: JVNDB-2015-004406 // VULHUB: VHN-80867

AFFECTED PRODUCTS

vendor:	mobile devices	model:	c4 obd-ii dongle	scope:	lte	version:	3.4	Trust: 1.0
vendor:	metromile	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	mobile devices	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	mobile devices	model:	c4 obd2 dongle	scope:	eq	version:	2.x	Trust: 0.8
vendor:	mobile devices	model:	c4 obd2 dongle	scope:	eq	version:	3.4.x	Trust: 0.8
vendor:	mobile devices	model:	c4 obd-ii dongle	scope:	eq	version:	3.4	Trust: 0.6

sources: CERT/CC: VU#209512 // JVNDB: JVNDB-2015-004406 // CNNVD: CNNVD-201508-496 // NVD: CVE-2015-2906

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-2906
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-2906
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201508-496
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-80867
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-2906
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-80867
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-80867 // JVNDB: JVNDB-2015-004406 // CNNVD: CNNVD-201508-496 // NVD: CVE-2015-2906

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2015-004406 // NVD: CVE-2015-2906

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201508-496

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201508-496

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004406

PATCH

title:	C4 OBD2 Dongle	url:	http://www.mobile-devices.com/our-products/c4-obd2-dongle/	Trust: 0.8
title:	Mobile Devices Ingenierie C4 OBD2 Dongle Security vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=226414	Trust: 0.6

sources: JVNDB: JVNDB-2015-004406 // CNNVD: CNNVD-201508-496

EXTERNAL IDS

db:	CERT/CC	id:	VU#209512	Trust: 3.3
db:	NVD	id:	CVE-2015-2906	Trust: 2.5
db:	JVN	id:	JVNVU93910224	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-004406	Trust: 0.8
db:	CNNVD	id:	CNNVD-201508-496	Trust: 0.7
db:	VULHUB	id:	VHN-80867	Trust: 0.1

sources: CERT/CC: VU#209512 // VULHUB: VHN-80867 // JVNDB: JVNDB-2015-004406 // CNNVD: CNNVD-201508-496 // NVD: CVE-2015-2906

REFERENCES

url:	https://www.usenix.org/conference/woot15/workshop-program/presentation/foster	Trust: 3.3
url:	http://www.kb.cert.org/vuls/id/209512	Trust: 2.5
url:	http://www.mobile-devices.com/our-products/c4-obd2-dongle/	Trust: 0.8
url:	http://illmatics.com/car_hacking.pdf	Trust: 0.8
url:	http://www.autosec.org/pubs/cars-usenixsec2011.pdf	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2906	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu93910224/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2906	Trust: 0.8
url:	http://www.kb.cert.org/vuls/id/ckig-9zaqgx	Trust: 0.8

sources: CERT/CC: VU#209512 // VULHUB: VHN-80867 // JVNDB: JVNDB-2015-004406 // CNNVD: CNNVD-201508-496 // NVD: CVE-2015-2906

SOURCES

db:	CERT/CC	id:	VU#209512
db:	VULHUB	id:	VHN-80867
db:	JVNDB	id:	JVNDB-2015-004406
db:	CNNVD	id:	CNNVD-201508-496
db:	NVD	id:	CVE-2015-2906

LAST UPDATE DATE

2025-04-12T23:15:39.133000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#209512	date:	2015-08-28T00:00:00
db:	VULHUB	id:	VHN-80867	date:	2023-02-22T00:00:00
db:	JVNDB	id:	JVNDB-2015-004406	date:	2015-08-26T00:00:00
db:	CNNVD	id:	CNNVD-201508-496	date:	2023-02-23T00:00:00
db:	NVD	id:	CVE-2015-2906	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#209512	date:	2015-08-11T00:00:00
db:	VULHUB	id:	VHN-80867	date:	2015-08-23T00:00:00
db:	JVNDB	id:	JVNDB-2015-004406	date:	2015-08-26T00:00:00
db:	CNNVD	id:	CNNVD-201508-496	date:	2015-08-24T00:00:00
db:	NVD	id:	CVE-2015-2906	date:	2015-08-23T21:59:02.933