Details of VAR-202012-1499

ID

VAR-202012-1499

CVE

CVE-2020-8539

TITLE

Kia Motors Head Unit Inappropriate Default Permission Vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2020-014034

DESCRIPTION

Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities. In addition, this executable may be used by an attacker to inject commands to generate CAN frames that are sent into the M-CAN bus (Multimedia CAN bus) of the vehicle. Kia Motors Head Unit Is vulnerable to incorrect default permissions.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state

Trust: 1.62

sources: NVD: CVE-2020-8539 // JVNDB: JVNDB-2020-014034

IOT TAXONOMY

category:

['vehicle device']

sub_category:

vehicle

Trust: 0.1

sources: OTHER: None

AFFECTED PRODUCTS

vendor:	kia	model:	head unit	scope:	eq	version:	sop.005.7.181019	Trust: 1.0
vendor:	kia	model:	head unit	scope:	eq	version:	sop.003.30.18.0703	Trust: 1.0
vendor:	kia	model:	head unit	scope:	eq	version:	sop.007.1.191209	Trust: 1.0
vendor:	起亜自動車	model:	head unit	scope:	eq	version:	head unit firmware sop.003.30.18.0703	Trust: 0.8
vendor:	起亜自動車	model:	head unit	scope:	eq	version:	head unit firmware sop.007.1.191209	Trust: 0.8
vendor:	起亜自動車	model:	head unit	scope:	eq	version:	head unit firmware sop.005.7.181019	Trust: 0.8
vendor:	起亜自動車	model:	head unit	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-014034 // NVD: CVE-2020-8539

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-8539
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-8539
value:	HIGH
Trust: 0.8

nvd@nist.gov:	CVE-2020-8539
severity:	MEDIUM
baseScore:	4.6
vectorString:	AV:L/AC:L/AU:N/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2020-8539
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2020-8539
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2020-014034 // NVD: CVE-2020-8539

PROBLEMTYPE DATA

problemtype:	CWE-276	Trust: 1.0
problemtype:	Inappropriate default permissions (CWE-276) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-014034 // NVD: CVE-2020-8539

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202012-003

PATCH

title:

Top Page

url:

https://www.kia.com/kr/main.html

Trust: 0.8

sources: JVNDB: JVNDB-2020-014034

EXTERNAL IDS

db:	NVD	id:	CVE-2020-8539	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-014034	Trust: 0.8
db:	CNNVD	id:	CNNVD-202012-003	Trust: 0.6
db:	OTHER	id:	NONE	Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2020-014034 // CNNVD: CNNVD-202012-003 // NVD: CVE-2020-8539

REFERENCES

url:	https://gist.github.com/gianpyc/4dc8b0d0c29774a10a97785711e325c3	Trust: 2.4
url:	https://sowhat.iit.cnr.it/pdf/iit-20-2020.pdf	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-8539	Trust: 1.4
url:	https://ieeexplore.ieee.org/abstract/document/10769424	Trust: 0.1

sources: OTHER: None // JVNDB: JVNDB-2020-014034 // CNNVD: CNNVD-202012-003 // NVD: CVE-2020-8539

SOURCES

db:	OTHER	id:	-
db:	JVNDB	id:	JVNDB-2020-014034
db:	CNNVD	id:	CNNVD-202012-003
db:	NVD	id:	CVE-2020-8539

LAST UPDATE DATE

2025-01-30T20:01:45.258000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2020-014034	date:	2021-07-20T07:56:00
db:	CNNVD	id:	CNNVD-202012-003	date:	2020-12-03T00:00:00
db:	NVD	id:	CVE-2020-8539	date:	2024-11-21T05:38:59.640

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2020-014034	date:	2021-07-20T00:00:00
db:	CNNVD	id:	CNNVD-202012-003	date:	2020-12-01T00:00:00
db:	NVD	id:	CVE-2020-8539	date:	2020-12-01T18:15:12.323