Details of VAR-201508-0607

ID

VAR-201508-0607

CVE

CVE-2015-2908

TITLE

Mobile Devices C4 ODB2 dongle contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#209512

DESCRIPTION

Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server. Mobile Devices C4 OBD2 dongle, and potentially other rebranded devices, contains multiple vulnerabilities. ** Unsettled ** This case has not been confirmed as a vulnerability. The vendor is (1) This is for developers / This is a bug in the debugging device. 3 It has been corrected a year ago. Local connection is enabled in the developer version (2) This problem, SMS Is valid, or 3 It only occurs with older software older than a year. " Supplementary information : CWE Vulnerability type by CWE-345: Insufficient Verification of Data Authenticity ( Inadequate verification of data reliability ) Has been identified. http://cwe.mitre.org/data/definitions/345.htmlArbitrary code may be executed by a third party by specifying the update server. Metromile Pulse (formerly known as Metronome) is a set of auto insurance business software from Metromile Company in the United States that reads the mileage of the vehicle through OBD2 (on-board diagnostic system) and charges according to the mileage. The software supports mobile network and built-in GPS, and retrieves lost vehicles through positioning

Trust: 2.43

sources: NVD: CVE-2015-2908 // CERT/CC: VU#209512 // JVNDB: JVNDB-2015-004408 // VULHUB: VHN-80869

AFFECTED PRODUCTS

vendor:	mobile devices	model:	c4 obd-ii dongle	scope:	lte	version:	3.4	Trust: 1.0
vendor:	metromile	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	mobile devices	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	mobile devices	model:	c4 obd2 dongle	scope:	eq	version:	2.x	Trust: 0.8
vendor:	mobile devices	model:	c4 obd2 dongle	scope:	eq	version:	3.4.x	Trust: 0.8
vendor:	mobile devices	model:	c4 obd-ii dongle	scope:	eq	version:	3.4	Trust: 0.6

sources: CERT/CC: VU#209512 // JVNDB: JVNDB-2015-004408 // CNNVD: CNNVD-201508-498 // NVD: CVE-2015-2908

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-2908
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-2908
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201508-498
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-80869
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-2908
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-80869
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-80869 // JVNDB: JVNDB-2015-004408 // CNNVD: CNNVD-201508-498 // NVD: CVE-2015-2908

PROBLEMTYPE DATA

problemtype:	CWE-345	Trust: 1.1
problemtype:	CWE-Other	Trust: 0.8

sources: VULHUB: VHN-80869 // JVNDB: JVNDB-2015-004408 // NVD: CVE-2015-2908

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201508-498

TYPE

data forgery

Trust: 0.6

sources: CNNVD: CNNVD-201508-498

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004408

PATCH

title:	C4 OBD2 Dongle	url:	http://www.mobile-devices.com/our-products/c4-obd2-dongle/	Trust: 0.8
title:	Mobile Devices Ingenierie C4 OBD2 Dongle Fixes for arbitrary code execution vulnerabilities	url:	http://123.124.177.30/web/xxk/bdxqById.tag?id=227306	Trust: 0.6

sources: JVNDB: JVNDB-2015-004408 // CNNVD: CNNVD-201508-498

EXTERNAL IDS

db:	CERT/CC	id:	VU#209512	Trust: 3.3
db:	NVD	id:	CVE-2015-2908	Trust: 2.5
db:	JVN	id:	JVNVU93910224	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-004408	Trust: 0.8
db:	CNNVD	id:	CNNVD-201508-498	Trust: 0.7
db:	VULHUB	id:	VHN-80869	Trust: 0.1

sources: CERT/CC: VU#209512 // VULHUB: VHN-80869 // JVNDB: JVNDB-2015-004408 // CNNVD: CNNVD-201508-498 // NVD: CVE-2015-2908

REFERENCES

url:	https://www.usenix.org/conference/woot15/workshop-program/presentation/foster	Trust: 3.3
url:	http://www.kb.cert.org/vuls/id/209512	Trust: 2.5
url:	http://www.mobile-devices.com/our-products/c4-obd2-dongle/	Trust: 0.8
url:	http://illmatics.com/car_hacking.pdf	Trust: 0.8
url:	http://www.autosec.org/pubs/cars-usenixsec2011.pdf	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2908	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu93910224/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2908	Trust: 0.8
url:	http://www.kb.cert.org/vuls/id/ckig-9zaqgx	Trust: 0.8

sources: CERT/CC: VU#209512 // VULHUB: VHN-80869 // JVNDB: JVNDB-2015-004408 // CNNVD: CNNVD-201508-498 // NVD: CVE-2015-2908

SOURCES

db:	CERT/CC	id:	VU#209512
db:	VULHUB	id:	VHN-80869
db:	JVNDB	id:	JVNDB-2015-004408
db:	CNNVD	id:	CNNVD-201508-498
db:	NVD	id:	CVE-2015-2908

LAST UPDATE DATE

2025-04-12T23:15:39.194000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#209512	date:	2015-08-28T00:00:00
db:	VULHUB	id:	VHN-80869	date:	2023-03-01T00:00:00
db:	JVNDB	id:	JVNDB-2015-004408	date:	2015-08-26T00:00:00
db:	CNNVD	id:	CNNVD-201508-498	date:	2023-03-03T00:00:00
db:	NVD	id:	CVE-2015-2908	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#209512	date:	2015-08-11T00:00:00
db:	VULHUB	id:	VHN-80869	date:	2015-08-23T00:00:00
db:	JVNDB	id:	JVNDB-2015-004408	date:	2015-08-26T00:00:00
db:	CNNVD	id:	CNNVD-201508-498	date:	2015-08-24T00:00:00
db:	NVD	id:	CVE-2015-2908	date:	2015-08-23T21:59:05.217