Sign-up

ID

VAR-201604-0278


CVE

CVE-2016-2354


TITLE

Lemur Vehicle Monitors BlueDriver LSB2 does not authenticate users for Bluetooth access

Trust: 0.8

sources: CERT/CC: VU#615456

DESCRIPTION

The Bluetooth functionality in Lemur Vehicle Monitors BlueDriver before 2016-04-07 supports unrestricted pairing without a PIN, which allows remote attackers to send arbitrary CAN commands by leveraging access to a device inside or adjacent to the vehicle, as demonstrated by a CAN command to disrupt braking or steering. Lemur Vehicle Monitors of BlueDriver LSB2 Is OBD2 A device that connects to a port to provide information about vehicle performance. BlueDriver LSB2 Is Bluetooth For access by PIN Is not required Bluetooth Anyone within range of the vehicle CAN (Controller Area Network) Any command can be sent to the bus. Lack of authentication for critical functions (CWE-306) - CVE-2016-2354 CERT/CC Is BlueDriver LSB2 What Bluetooth When accessing with PIN Confirmed that is not necessary. This issue Bluetooth Anyone within range of OBD2 It is possible to obtain diagnostic information such as fuel consumption, trouble code, speed, and displacement information. Also, the attacker CAN (Controller Area Network) Any command can be sent to the bus. Depending on the vehicle, attackers can affect steering and braking. CWE-306: Missing Authentication for Critical Function http://cwe.mitre.org/data/definitions/306.html In addition, National Vulnerability Database (NVD) Then CWE-284 It is published as CWE-284: Improper Access Control http://cwe.mitre.org/data/definitions/284.htmlAttack Bluetooth Although it is necessary to do it from within the wireless range, it is possible to attack via a mobile phone in the vehicle. Depending on the vehicle type and model, various effects can be expected, from information leaks to life-threatening dangers. Attackers can exploit this issue to gain unauthorized access. This may lead to further attacks

Trust: 2.61

sources: NVD: CVE-2016-2354 // CERT/CC: VU#615456 // JVNDB: JVNDB-2016-001955 // BID: 85941

IOT TAXONOMY

category:['vehicle device']sub_category:vehicle

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:lemurmonitorsmodel:bluedriverscope:lteversion:6.3.2

Trust: 1.0

vendor:lemur vehicle monitorsmodel: - scope: - version: -

Trust: 0.8

vendor:lemur vehicle monitorsmodel:bluedriverscope:eqversion:lsb2

Trust: 0.8

vendor:lemurmonitorsmodel:bluedriverscope:eqversion:6.3.2

Trust: 0.6

sources: CERT/CC: VU#615456 // JVNDB: JVNDB-2016-001955 // CNNVD: CNNVD-201604-124 // NVD: CVE-2016-2354

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2016-2354
value: HIGH

Trust: 1.6

nvd@nist.gov: CVE-2016-2354
value: HIGH

Trust: 1.0

CNNVD: CNNVD-201604-124
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2016-2354
severity: HIGH
baseScore: 8.0
vectorString: AV:A/AC:L/AU:N/C:P/I:C/A:C
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 9.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

NVD: CVE-2016-2354
severity: HIGH
baseScore: 8.0
vectorString: NONE
accessVector: ADJACENT NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.5
impactScore: 9.5
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

nvd@nist.gov: CVE-2016-2354
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: ADJACENT
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CERT/CC: VU#615456 // JVNDB: JVNDB-2016-001955 // CNNVD: CNNVD-201604-124 // NVD: CVE-2016-2354

PROBLEMTYPE DATA

problemtype:CWE-284

Trust: 1.0

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2016-001955 // NVD: CVE-2016-2354

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201604-124

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201604-124

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2016-001955

EXPLOIT AVAILABILITY
sources:
            
            
            CERT/CC: VU#615456

PATCH
title:BlueDriver - OBD2 Bluetooth Scan Tool for Apple and Android Smartphones and Tabletsurl:http://www.lemurmonitors.com/
Trust: 0.8
title:BlueDriver OBD2 App - Twitter (13:46 - 2016年4月11日)url:https://twitter.com/BlueDriverApp/status/719627773602455552
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2016-001955

EXTERNAL IDS
db:CERT/CCid:VU#615456
Trust: 3.2
db:NVDid:CVE-2016-2354
Trust: 2.8
db:JVNid:JVNVU92749596
Trust: 0.8
db:JVNDBid:JVNDB-2016-001955
Trust: 0.8
db:CNNVDid:CNNVD-201604-124
Trust: 0.6
db:BIDid:85941
Trust: 0.3
db:OTHERid:NONE
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CERT/CC: VU#615456 // 
            
            
            
            BID: 85941 // 
            
            
            
            JVNDB: JVNDB-2016-001955 // 
            
            
            
            CNNVD: CNNVD-201604-124 // 
            
            
            
            NVD: CVE-2016-2354

REFERENCES
url:http://www.kb.cert.org/vuls/id/615456
Trust: 2.4
url:http://www.lemurmonitors.com/
Trust: 1.4
url:https://cwe.mitre.org/data/definitions/306.html
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-2354
Trust: 0.8
url:http://jvn.jp/cert/jvnvu92749596
Trust: 0.8
url:https://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2354
Trust: 0.8
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CERT/CC: VU#615456 // 
            
            
            
            JVNDB: JVNDB-2016-001955 // 
            
            
            
            CNNVD: CNNVD-201604-124 // 
            
            
            
            NVD: CVE-2016-2354

CREDITS
Dan Klinedins
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-201604-124

SOURCES
db:OTHERid: - 
db:CERT/CCid:VU#615456
db:BIDid:85941
db:JVNDBid:JVNDB-2016-001955
db:CNNVDid:CNNVD-201604-124
db:NVDid:CVE-2016-2354

LAST UPDATE DATE
2025-04-12T21:19:27.063000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#615456date:2016-04-20T00:00:00
db:BIDid:85941date:2016-04-07T00:00:00
db:JVNDBid:JVNDB-2016-001955date:2016-05-31T00:00:00
db:CNNVDid:CNNVD-201604-124date:2016-04-22T00:00:00
db:NVDid:CVE-2016-2354date:2025-04-12T10:46:40.837

SOURCES RELEASE DATE
db:CERT/CCid:VU#615456date:2016-04-07T00:00:00
db:BIDid:85941date:2016-04-07T00:00:00
db:JVNDBid:JVNDB-2016-001955date:2016-04-11T00:00:00
db:CNNVDid:CNNVD-201604-124date:2016-04-08T00:00:00
db:NVDid:CVE-2016-2354date:2016-04-22T00:59:08.527