Sign-up

ID

VAR-201508-0606


CVE

CVE-2015-2907


TITLE

Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#209512

DESCRIPTION

Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, have hardcoded SSH credentials, which makes it easier for remote attackers to obtain access by leveraging knowledge of the required username and password. Mobile Devices C4 OBD2 dongle, and potentially other rebranded devices, contains multiple vulnerabilities. ** Unsettled ** This case has not been confirmed as a vulnerability. The vendor says, “This is for developers. / Due to a problem with the debugging device, it is not included in the device for general customers, but is fixed at the current release ( Invalidation ) Has been announced. " Supplementary information : CWE Vulnerability type by CWE-798: Use of Hard-coded Credentials ( Using hard-coded credentials ) Has been identified. http://cwe.mitre.org/data/definitions/798.htmlAn access right may be obtained by using the requested user name and password information by a third party. A remote attacker could exploit the vulnerability with a known username and password to gain access. Metromile Pulse (formerly known as Metronome) is a set of auto insurance business software from Metromile Company in the United States that reads the mileage of the vehicle through OBD2 (on-board diagnostic system) and charges according to the mileage. The software supports mobile network and built-in GPS, and retrieves lost vehicles through positioning

Trust: 2.97

sources: NVD: CVE-2015-2907 // CERT/CC: VU#209512 // JVNDB: JVNDB-2015-004407 // CNVD: CNVD-2015-05628 // VULHUB: VHN-80868

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2015-05628

AFFECTED PRODUCTS

vendor:mobile devicesmodel:c4 obd-ii donglescope:lteversion:3.4

Trust: 1.0

vendor:metromilemodel: - scope: - version: -

Trust: 0.8

vendor:mobile devicesmodel: - scope: - version: -

Trust: 0.8

vendor:mobile devicesmodel:c4 obd2 donglescope:eqversion:2.x

Trust: 0.8

vendor:mobile devicesmodel:c4 obd2 donglescope:eqversion:3.4.x

Trust: 0.8

vendor:mobilemodel:devices c4 obd-ii dongles withscope:eqversion:2.x

Trust: 0.6

vendor:mobilemodel:devices c4 obd-ii dongles withscope:eqversion:3.4.x

Trust: 0.6

vendor:mobile devicesmodel:c4 obd-ii donglescope:eqversion:3.4

Trust: 0.6

sources: CERT/CC: VU#209512 // CNVD: CNVD-2015-05628 // JVNDB: JVNDB-2015-004407 // CNNVD: CNNVD-201508-497 // NVD: CVE-2015-2907

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-2907
value: HIGH

Trust: 1.0

NVD: CVE-2015-2907
value: HIGH

Trust: 0.8

CNVD: CNVD-2015-05628
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201508-497
value: HIGH

Trust: 0.6

VULHUB: VHN-80868
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2015-2907
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-05628
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-80868
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CNVD: CNVD-2015-05628 // VULHUB: VHN-80868 // JVNDB: JVNDB-2015-004407 // CNNVD: CNNVD-201508-497 // NVD: CVE-2015-2907

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2015-004407 // NVD: CVE-2015-2907

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201508-497

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201508-497

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-004407

PATCH
title:C4 OBD2 Dongleurl:http://www.mobile-devices.com/our-products/c4-obd2-dongle/
Trust: 0.8
title:Patch for Mobile Devices C4 OBD2 Dongle Access Viability (CNVD-2015-05628)url:https://www.cnvd.org.cn/patchInfo/show/63061
Trust: 0.6
title:Mobile Devices Ingenierie C4 OBD2 Dongle Security vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=227305
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-05628 // 
            
            
            
            JVNDB: JVNDB-2015-004407 // 
            
            
            
            CNNVD: CNNVD-201508-497

EXTERNAL IDS
db:CERT/CCid:VU#209512
Trust: 3.3
db:NVDid:CVE-2015-2907
Trust: 3.1
db:JVNid:JVNVU93910224
Trust: 0.8
db:JVNDBid:JVNDB-2015-004407
Trust: 0.8
db:CNNVDid:CNNVD-201508-497
Trust: 0.7
db:CNVDid:CNVD-2015-05628
Trust: 0.6
db:VULHUBid:VHN-80868
Trust: 0.1
sources:
            
            
            CERT/CC: VU#209512 // 
            
            
            
            CNVD: CNVD-2015-05628 // 
            
            
            
            VULHUB: VHN-80868 // 
            
            
            
            JVNDB: JVNDB-2015-004407 // 
            
            
            
            CNNVD: CNNVD-201508-497 // 
            
            
            
            NVD: CVE-2015-2907

REFERENCES
url:https://www.usenix.org/conference/woot15/workshop-program/presentation/foster
Trust: 3.9
url:http://www.kb.cert.org/vuls/id/209512
Trust: 2.5
url:http://www.mobile-devices.com/our-products/c4-obd2-dongle/
Trust: 0.8
url:http://illmatics.com/car_hacking.pdf
Trust: 0.8
url:http://www.autosec.org/pubs/cars-usenixsec2011.pdf
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2907
Trust: 0.8
url:http://jvn.jp/vu/jvnvu93910224/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2907
Trust: 0.8
url:http://www.kb.cert.org/vuls/id/ckig-9zaqgx
Trust: 0.8
sources:
            
            
            CERT/CC: VU#209512 // 
            
            
            
            CNVD: CNVD-2015-05628 // 
            
            
            
            VULHUB: VHN-80868 // 
            
            
            
            JVNDB: JVNDB-2015-004407 // 
            
            
            
            CNNVD: CNNVD-201508-497 // 
            
            
            
            NVD: CVE-2015-2907

SOURCES
db:CERT/CCid:VU#209512
db:CNVDid:CNVD-2015-05628
db:VULHUBid:VHN-80868
db:JVNDBid:JVNDB-2015-004407
db:CNNVDid:CNNVD-201508-497
db:NVDid:CVE-2015-2907

LAST UPDATE DATE
2025-04-12T23:15:39.161000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#209512date:2015-08-28T00:00:00
db:CNVDid:CNVD-2015-05628date:2015-08-27T00:00:00
db:VULHUBid:VHN-80868date:2023-03-01T00:00:00
db:JVNDBid:JVNDB-2015-004407date:2015-08-26T00:00:00
db:CNNVDid:CNNVD-201508-497date:2023-03-02T00:00:00
db:NVDid:CVE-2015-2907date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CERT/CCid:VU#209512date:2015-08-11T00:00:00
db:CNVDid:CNVD-2015-05628date:2015-08-27T00:00:00
db:VULHUBid:VHN-80868date:2015-08-23T00:00:00
db:JVNDBid:JVNDB-2015-004407date:2015-08-26T00:00:00
db:CNNVDid:CNNVD-201508-497date:2015-08-24T00:00:00
db:NVDid:CVE-2015-2907date:2015-08-23T21:59:04.027