Sign-up

ID

VAR-201801-1099


CVE

CVE-2017-9663


TITLE

General Motors - Shanghai OnStar of SOS iOS Client Vulnerable to information disclosure

Trust: 0.8

sources: JVNDB: JVNDB-2017-012085

DESCRIPTION

An Cleartext Storage of Sensitive Information issue was discovered in General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client 7.1. Successful exploitation of this vulnerability may allow a remote attacker to access an encryption key that is stored in cleartext in memory. General Motors Shanghai OnStar is prone to multiple security vulnerabilities. An attackers may exploit these issues to gain unauthorized complete access to the affected application by bypassing intended security restrictions or perform man-in-the-middle attack to edit or view sensitive information that may aid in launching further attacks. Shanghai OnStar 7.1 is vulnerable; other versions may also be affected

Trust: 2.61

sources: NVD: CVE-2017-9663 // JVNDB: JVNDB-2017-012085 // CNVD: CNVD-2018-00880 // BID: 102481 // IVD: e2e1a3df-39ab-11e9-9636-000c29342cb1

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2e1a3df-39ab-11e9-9636-000c29342cb1 // CNVD: CNVD-2018-00880

AFFECTED PRODUCTS

vendor:gmmodel:shanghai onstarscope:eqversion:7.1

Trust: 1.6

vendor:general motors onstarmodel:sos ios clientscope:eqversion:7.1

Trust: 0.8

vendor:generalmodel:motorsgm shanghai onstarsosios clientscope:eqversion:7.1

Trust: 0.6

vendor:generalmodel:motors shanghai onstarscope:eqversion:7.1

Trust: 0.3

vendor:generalmodel:motors shanghai onstarscope:neversion:7.2

Trust: 0.3

vendor:onstarmodel: - scope:eqversion:7.1

Trust: 0.2

sources: IVD: e2e1a3df-39ab-11e9-9636-000c29342cb1 // CNVD: CNVD-2018-00880 // BID: 102481 // JVNDB: JVNDB-2017-012085 // CNNVD: CNNVD-201706-574 // NVD: CVE-2017-9663

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-9663
value: HIGH

Trust: 1.0

NVD: CVE-2017-9663
value: HIGH

Trust: 0.8

CNVD: CNVD-2018-00880
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201706-574
value: HIGH

Trust: 0.6

IVD: e2e1a3df-39ab-11e9-9636-000c29342cb1
value: HIGH

Trust: 0.2

nvd@nist.gov: CVE-2017-9663
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2018-00880
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2e1a3df-39ab-11e9-9636-000c29342cb1
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

nvd@nist.gov: CVE-2017-9663
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: IVD: e2e1a3df-39ab-11e9-9636-000c29342cb1 // CNVD: CNVD-2018-00880 // JVNDB: JVNDB-2017-012085 // CNNVD: CNNVD-201706-574 // NVD: CVE-2017-9663

PROBLEMTYPE DATA

problemtype:CWE-312

Trust: 1.0

problemtype:CWE-200

Trust: 0.8

sources: JVNDB: JVNDB-2017-012085 // NVD: CVE-2017-9663

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-574

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201706-574

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-012085

PATCH
title:Top Pageurl:https://www.onstar.com/us/en/home/
Trust: 0.8
title:Patch for General Motors and Shanghai OnStar iOS Client plaintext storage vulnerabilitiesurl:https://www.cnvd.org.cn/patchInfo/show/113373
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2018-00880 // 
            
            
            
            JVNDB: JVNDB-2017-012085

EXTERNAL IDS
db:NVDid:CVE-2017-9663
Trust: 3.5
db:ICS CERTid:ICSA-17-234-04
Trust: 3.3
db:BIDid:102481
Trust: 2.5
db:CNVDid:CNVD-2018-00880
Trust: 0.8
db:CNNVDid:CNNVD-201706-574
Trust: 0.8
db:JVNDBid:JVNDB-2017-012085
Trust: 0.8
db:IVDid:E2E1A3DF-39AB-11E9-9636-000C29342CB1
Trust: 0.2
sources:
            
            
            IVD: e2e1a3df-39ab-11e9-9636-000c29342cb1 // 
            
            
            
            CNVD: CNVD-2018-00880 // 
            
            
            
            BID: 102481 // 
            
            
            
            JVNDB: JVNDB-2017-012085 // 
            
            
            
            CNNVD: CNNVD-201706-574 // 
            
            
            
            NVD: CVE-2017-9663

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-17-234-04
Trust: 3.0
url:http://www.securityfocus.com/bid/102481
Trust: 2.2
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9663
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-9663
Trust: 0.8
url:https://www.gm.com/
Trust: 0.3
url:https://ics-cert.us-cert.gov/advisories/icsa-17-234-04 icsa-17-234-04
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2018-00880 // 
            
            
            
            BID: 102481 // 
            
            
            
            JVNDB: JVNDB-2017-012085 // 
            
            
            
            CNNVD: CNNVD-201706-574 // 
            
            
            
            NVD: CVE-2017-9663

CREDITS
Charles Gans
Trust: 0.3
sources:
            
            
            BID: 102481

SOURCES
db:IVDid:e2e1a3df-39ab-11e9-9636-000c29342cb1
db:CNVDid:CNVD-2018-00880
db:BIDid:102481
db:JVNDBid:JVNDB-2017-012085
db:CNNVDid:CNNVD-201706-574
db:NVDid:CVE-2017-9663

LAST UPDATE DATE
2024-11-23T22:12:42.361000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2018-00880date:2018-01-15T00:00:00
db:BIDid:102481date:2018-01-09T00:00:00
db:JVNDBid:JVNDB-2017-012085date:2018-02-16T00:00:00
db:CNNVDid:CNNVD-201706-574date:2019-10-17T00:00:00
db:NVDid:CVE-2017-9663date:2024-11-21T03:36:36.500

SOURCES RELEASE DATE
db:IVDid:e2e1a3df-39ab-11e9-9636-000c29342cb1date:2018-01-15T00:00:00
db:CNVDid:CNVD-2018-00880date:2018-01-15T00:00:00
db:BIDid:102481date:2018-01-09T00:00:00
db:JVNDBid:JVNDB-2017-012085date:2018-02-16T00:00:00
db:CNNVDid:CNNVD-201706-574date:2017-06-15T00:00:00
db:NVDid:CVE-2017-9663date:2018-01-09T21:29:00.453