Sign-up

ID

VAR-202001-0455


CVE

CVE-2019-9493


TITLE

MyCar Controls uses hard-coded credentials

Trust: 0.8

sources: CERT/CC: VU#174715

DESCRIPTION

The MyCar Controls of AutoMobility Distribution Inc., mobile application contains hard-coded admin credentials. A remote unauthenticated attacker may be able to send commands to and retrieve data from a target MyCar unit. This may allow the attacker to learn the location of a target, or gain unauthorized physical access to a vehicle. This issue affects AutoMobility MyCar versions prior to 3.4.24 on iOS and versions prior to 4.1.2 on Android. This issue has additionally been fixed in Carlink, Link, Visions MyCar, and MyCar Kia. AutoMobility Distribution Inc Smartphone app " MyCar Controls Is a hard-coded management authentication information that can be used as an alternative to the username and password when the user communicates to the server endpoint (CWE-798) Exists.A remote unauthorized third party may send commands to or obtain data from the product. AutoMobility Distribution MyCar Controls is prone to a security-bypass vulnerability. Attackers can exploit this issue to gain unauthorized access to the affected device, obtain sensitive information, or bypass authentication mechanism and perform unauthorized actions. This may aid in further attacks

Trust: 2.7

sources: NVD: CVE-2019-9493 // CERT/CC: VU#174715 // JVNDB: JVNDB-2019-002558 // BID: 107827 // VULMON: CVE-2019-9493

IOT TAXONOMY

category:['vehicle device']sub_category:vehicle

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:mycarcontrolsmodel:mycar controlsscope:ltversion:3.4.24

Trust: 1.0

vendor:mycarcontrolsmodel:mycar controlsscope:ltversion:4.1.2

Trust: 1.0

vendor:automobility distributionmodel: - scope: - version: -

Trust: 0.8

vendor:automobility distributionmodel:mycar controlsscope:ltversion:android the app v4.1.2 earlier

Trust: 0.8

vendor:automobility distributionmodel:mycar controlsscope:ltversion:ios the app v3.4.24 earlier

Trust: 0.8

vendor:automobilitymodel:distribution mycar controls for androidscope:eqversion:4.0.12

Trust: 0.3

vendor:automobilitymodel:distribution mycar controls for androidscope:eqversion:3.4.29

Trust: 0.3

vendor:automobilitymodel:distribution mycar controls for androidscope:eqversion:3.3.22

Trust: 0.3

vendor:automobilitymodel:distribution mycar controlsscope:eqversion:3.3.95

Trust: 0.3

vendor:automobilitymodel:distribution mycar controlsscope:eqversion:3.3.56

Trust: 0.3

vendor:automobilitymodel:distribution mycar controlsscope:eqversion:3.3.40

Trust: 0.3

vendor:automobilitymodel:distribution mycar controls for androidscope:neversion:4.1.2

Trust: 0.3

vendor:automobilitymodel:distribution mycar controlsscope:neversion:3.4.24

Trust: 0.3

sources: CERT/CC: VU#174715 // BID: 107827 // JVNDB: JVNDB-2019-002558 // NVD: CVE-2019-9493

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-9493
value: CRITICAL

Trust: 1.0

cret@cert.org: CVE-2019-9493
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-9493
value: HIGH

Trust: 0.8

JPCERT/CC: JVNDB-2019-002558
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-201904-519
value: HIGH

Trust: 0.6

VULMON: CVE-2019-9493
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2019-9493
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: CVE-2019-9493
severity: HIGH
baseScore: 7.5
vectorString: NONE
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

JPCERT/CC: JVNDB-2019-002558
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

nvd@nist.gov: CVE-2019-9493
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

cret@cert.org: CVE-2019-9493
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.1

Trust: 1.0

JPCERT/CC: JVNDB-2019-002558
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CERT/CC: VU#174715 // VULMON: CVE-2019-9493 // JVNDB: JVNDB-2019-002558 // CNNVD: CNNVD-201904-519 // NVD: CVE-2019-9493 // NVD: CVE-2019-9493

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.0

sources: NVD: CVE-2019-9493

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201904-519

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201904-519

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-002558

EXPLOIT AVAILABILITY
sources:
            
            
            CERT/CC: VU#174715

PATCH
title:My Car | Start, control and locate your car from virtually anywhereurl:https://mycarcontrols.com/
Trust: 0.8
title:MyCar Controls - App Storeurl:https://itunes.apple.com/ca/app/mycar-controls/id1126511815
Trust: 0.8
title:MyCar Controls - Google Play の Android アプリurl:https://play.google.com/store/apps/details?id=app.com.automobility.mycar.control
Trust: 0.8
title:AutoMobility Distribution MyCar Controls Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91336
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2019-002558 // 
            
            
            
            CNNVD: CNNVD-201904-519

EXTERNAL IDS
db:CERT/CCid:VU#174715
Trust: 3.6
db:NVDid:CVE-2019-9493
Trust: 2.9
db:BIDid:107827
Trust: 2.0
db:JVNid:JVNVU96036964
Trust: 0.8
db:JVNDBid:JVNDB-2019-002558
Trust: 0.8
db:CNNVDid:CNNVD-201904-519
Trust: 0.6
db:OTHERid:NONE
Trust: 0.1
db:VULMONid:CVE-2019-9493
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CERT/CC: VU#174715 // 
            
            
            
            VULMON: CVE-2019-9493 // 
            
            
            
            BID: 107827 // 
            
            
            
            JVNDB: JVNDB-2019-002558 // 
            
            
            
            CNNVD: CNNVD-201904-519 // 
            
            
            
            NVD: CVE-2019-9493

REFERENCES
url:https://mycarcontrols.com/
Trust: 3.3
url:https://play.google.com/store/apps/details?id=app.com.automobility.mycar.control
Trust: 2.8
url:https://www.kb.cert.org/vuls/id/174715/
Trust: 2.8
url:https://itunes.apple.com/us/app/mycar-controls/id1126511815
Trust: 2.5
url:https://www.securityfocus.com/bid/107827
Trust: 2.3
url:https://cwe.mitre.org/data/definitions/798.html
Trust: 0.9
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-9493
Trust: 0.8
url:https://jvn.jp/vu/jvnvu96036964/
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2019-9493
Trust: 0.6
url:https://ieeexplore.ieee.org/abstract/document/10769424
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.kb.cert.org/vuls/id/174715
Trust: 0.1
sources:
            
            
            OTHER: None // 
            
            
            
            CERT/CC: VU#174715 // 
            
            
            
            VULMON: CVE-2019-9493 // 
            
            
            
            BID: 107827 // 
            
            
            
            JVNDB: JVNDB-2019-002558 // 
            
            
            
            CNNVD: CNNVD-201904-519 // 
            
            
            
            NVD: CVE-2019-9493

CREDITS
Jmaxxz
Trust: 0.9
sources:
            
            
            BID: 107827 // 
            
            
            
            CNNVD: CNNVD-201904-519

SOURCES
db:OTHERid: - 
db:CERT/CCid:VU#174715
db:VULMONid:CVE-2019-9493
db:BIDid:107827
db:JVNDBid:JVNDB-2019-002558
db:CNNVDid:CNNVD-201904-519
db:NVDid:CVE-2019-9493

LAST UPDATE DATE
2025-01-30T21:03:57.978000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#174715date:2019-04-08T00:00:00
db:VULMONid:CVE-2019-9493date:2020-01-24T00:00:00
db:BIDid:107827date:2019-04-08T00:00:00
db:JVNDBid:JVNDB-2019-002558date:2019-04-11T00:00:00
db:CNNVDid:CNNVD-201904-519date:2020-01-17T00:00:00
db:NVDid:CVE-2019-9493date:2024-11-21T04:51:43.527

SOURCES RELEASE DATE
db:CERT/CCid:VU#174715date:2019-04-08T00:00:00
db:VULMONid:CVE-2019-9493date:2020-01-15T00:00:00
db:BIDid:107827date:2019-04-08T00:00:00
db:JVNDBid:JVNDB-2019-002558date:2019-04-11T00:00:00
db:CNNVDid:CNNVD-201904-519date:2019-04-08T00:00:00
db:NVDid:CVE-2019-9493date:2020-01-15T17:15:14.660