Details of VAR-201704-1010

ID

VAR-201704-1010

CVE

CVE-2017-6052

TITLE

Hyundai Motor America Blue Link Security Bypass Vulnerability

Trust: 0.8

sources: IVD: faa671c0-1526-4bb8-9b04-b94bcce92bdb // CNVD: CNVD-2017-06731

DESCRIPTION

A Man-in-the-Middle issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. Communication channel endpoints are not verified, which may allow a remote attacker to access or influence communications between the identified endpoints. Blue Link Contains vulnerabilities related to authorization, permissions, and access control.Information may be obtained and information may be altered. HyundaiMotorBlueLink is a new car from Hyundai Motor. A security bypass vulnerability exists in HyundaiMotorAmericaBlueLink 3.9.5 and 3.9.4. An information disclosure vulnerability 2. A security-bypass vulnerability An attacker may leverage these issues to gain sensitive information and bypass certain security restrictions and perform unauthorized actions. Blue Link version 3.9.5 and 3.9.4 are vulnerable

Trust: 2.61

sources: NVD: CVE-2017-6052 // JVNDB: JVNDB-2017-003614 // CNVD: CNVD-2017-06731 // BID: 98033 // IVD: faa671c0-1526-4bb8-9b04-b94bcce92bdb

IOT TAXONOMY

category:	['ICS', 'Network device']	sub_category:	-	Trust: 0.6
category:	['ICS']	sub_category:	-	Trust: 0.2

sources: IVD: faa671c0-1526-4bb8-9b04-b94bcce92bdb // CNVD: CNVD-2017-06731

AFFECTED PRODUCTS

vendor:	hyundaiusa	model:	blue link	scope:	eq	version:	3.9.5	Trust: 1.6
vendor:	hyundaiusa	model:	blue link	scope:	eq	version:	3.9.4	Trust: 1.6
vendor:	hyundai motor america	model:	blue link	scope:	eq	version:	3.9.4	Trust: 0.8
vendor:	hyundai motor america	model:	blue link	scope:	eq	version:	3.9.5	Trust: 0.8
vendor:	hyundai	model:	motor america blue link	scope:	eq	version:	3.9.5	Trust: 0.6
vendor:	hyundai	model:	motor america blue link	scope:	eq	version:	3.9.4	Trust: 0.6
vendor:	hyundai	model:	blue link	scope:	eq	version:	3.9.5	Trust: 0.3
vendor:	hyundai	model:	blue link	scope:	eq	version:	3.9.4	Trust: 0.3
vendor:	blue link	model:	-	scope:	eq	version:	3.9.4	Trust: 0.2
vendor:	blue link	model:	-	scope:	eq	version:	3.9.5	Trust: 0.2

sources: IVD: faa671c0-1526-4bb8-9b04-b94bcce92bdb // CNVD: CNVD-2017-06731 // BID: 98033 // JVNDB: JVNDB-2017-003614 // CNNVD: CNNVD-201704-1451 // NVD: CVE-2017-6052

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-6052
value:	LOW
Trust: 1.0
NVD:	CVE-2017-6052
value:	LOW
Trust: 0.8
CNVD:	CNVD-2017-06731
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201704-1451
value:	LOW
Trust: 0.6
IVD:	faa671c0-1526-4bb8-9b04-b94bcce92bdb
value:	LOW
Trust: 0.2

nvd@nist.gov:	CVE-2017-6052
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:A/AC:M/AU:N/C:P/I:P/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	5.5
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-06731
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:A/AC:M/AU:N/C:P/I:P/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	5.5
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	faa671c0-1526-4bb8-9b04-b94bcce92bdb
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:A/AC:M/AU:N/C:P/I:P/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	5.5
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2017-6052
baseSeverity:	LOW
baseScore:	3.7
vectorString:	CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
attackVector:	ADJACENT
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	1.2
impactScore:	2.5
version:	3.0
Trust: 1.8

sources: IVD: faa671c0-1526-4bb8-9b04-b94bcce92bdb // CNVD: CNVD-2017-06731 // JVNDB: JVNDB-2017-003614 // CNNVD: CNNVD-201704-1451 // NVD: CVE-2017-6052

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-300	Trust: 1.0
problemtype:	CWE-264	Trust: 0.8

sources: JVNDB: JVNDB-2017-003614 // NVD: CVE-2017-6052

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201704-1451

TYPE

permissions and access control issues

Trust: 0.6

sources: CNNVD: CNNVD-201704-1451

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-003614

PATCH

title:	Blue Link	url:	https://www.hyundaiusa.com/bluelink/index.aspx	Trust: 0.8
title:	HyundaiMotorAmericaBlueLink Security Bypass Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/93816	Trust: 0.6
title:	Hyundai Motor America Blue Link Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=69680	Trust: 0.6

sources: CNVD: CNVD-2017-06731 // JVNDB: JVNDB-2017-003614 // CNNVD: CNNVD-201704-1451

EXTERNAL IDS

db:	NVD	id:	CVE-2017-6052	Trust: 3.5
db:	ICS CERT	id:	ICSA-17-115-03	Trust: 3.3
db:	BID	id:	98033	Trust: 2.5
db:	CNVD	id:	CNVD-2017-06731	Trust: 0.8
db:	CNNVD	id:	CNNVD-201704-1451	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-003614	Trust: 0.8
db:	IVD	id:	FAA671C0-1526-4BB8-9B04-B94BCCE92BDB	Trust: 0.2

sources: IVD: faa671c0-1526-4bb8-9b04-b94bcce92bdb // CNVD: CNVD-2017-06731 // BID: 98033 // JVNDB: JVNDB-2017-003614 // CNNVD: CNNVD-201704-1451 // NVD: CVE-2017-6052

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-17-115-03	Trust: 3.3
url:	https://community.rapid7.com/community/infosec/blog/2017/04/25/r7-2017-02-hyundai-blue-link-potential-info-disclosure-fixed	Trust: 1.6
url:	http://www.securityfocus.com/bid/98033	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-6052	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-6052	Trust: 0.8
url:	https://www.hyundaiusa.com/	Trust: 0.3

sources: CNVD: CNVD-2017-06731 // BID: 98033 // JVNDB: JVNDB-2017-003614 // CNNVD: CNNVD-201704-1451 // NVD: CVE-2017-6052

CREDITS

Will Hatzer and Arjun Kumar working with Rapid7.

Trust: 0.3

sources: BID: 98033

SOURCES

db:	IVD	id:	faa671c0-1526-4bb8-9b04-b94bcce92bdb
db:	CNVD	id:	CNVD-2017-06731
db:	BID	id:	98033
db:	JVNDB	id:	JVNDB-2017-003614
db:	CNNVD	id:	CNNVD-201704-1451
db:	NVD	id:	CVE-2017-6052

LAST UPDATE DATE

2025-04-20T23:27:25.992000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-06731	date:	2017-05-16T00:00:00
db:	BID	id:	98033	date:	2017-05-02T00:10:00
db:	JVNDB	id:	JVNDB-2017-003614	date:	2017-05-31T00:00:00
db:	CNNVD	id:	CNNVD-201704-1451	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-6052	date:	2025-04-20T01:37:25.860

SOURCES RELEASE DATE

db:	IVD	id:	faa671c0-1526-4bb8-9b04-b94bcce92bdb	date:	2017-05-16T00:00:00
db:	CNVD	id:	CNVD-2017-06731	date:	2017-04-27T00:00:00
db:	BID	id:	98033	date:	2017-04-25T00:00:00
db:	JVNDB	id:	JVNDB-2017-003614	date:	2017-05-31T00:00:00
db:	CNNVD	id:	CNNVD-201704-1451	date:	2017-04-27T00:00:00
db:	NVD	id:	CVE-2017-6052	date:	2017-04-26T14:59:00.160