CVE-2017-6052 - OpenCVE

A Man-in-the-Middle issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. Communication channel endpoints are not verified, which may allow a remote attacker to access or influence communications between the identified endpoints.

No CVSS v3.1

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Adjacent Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:A/AC:M/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Hyundaiusa	Blue Link

Configuration 1 [-]

OR	cpe:2.3:a:hyundaiusa:blue_link:3.9.4:::::::*
	cpe:2.3:a:hyundaiusa:blue_link:3.9.5:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/98033	Third Party Advisory VDB Entry
https://community.rapid7.com/community/infosec/blog/2017/04/25/r7-2017-02-hyundai-blue-link-potential-info-disclosure-fixed	Third Party Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-115-03	Third Party Advisory US Government Resource

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: icscert

Published: 2017-04-26T14:00:00

Updated: 2017-04-27T09:57:01

Reserved: 2017-02-16T00:00:00

Link: CVE-2017-6052

JSON object: View

NVD Information

Status : Modified

Published: 2017-04-26T14:59:00.160

Modified: 2019-10-09T23:28:38.793

Link: CVE-2017-6052

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Hyundai Motor America Blue Link", "vendor": "n/a", "versions": [{"status": "affected", "version": "Hyundai Motor America Blue Link"}]}], "datePublic": "2017-04-26T00:00:00", "descriptions": [{"lang": "en", "value": "A Man-in-the-Middle issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. Communication channel endpoints are not verified, which may allow a remote attacker to access or influence communications between the identified endpoints."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-300", "description": "CWE-300", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-04-27T09:57:01", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-03"}, {"name": "98033", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/98033"}, {"tags": ["x_refsource_MISC"], "url": "https://community.rapid7.com/community/infosec/blog/2017/04/25/r7-2017-02-hyundai-blue-link-potential-info-disclosure-fixed"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2017-6052", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Hyundai Motor America Blue Link", "version": {"version_data": [{"version_value": "Hyundai Motor America Blue Link"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Man-in-the-Middle issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. Communication channel endpoints are not verified, which may allow a remote attacker to access or influence communications between the identified endpoints."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-300"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-03", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-03"}, {"name": "98033", "refsource": "BID", "url": "http://www.securityfocus.com/bid/98033"}, {"name": "https://community.rapid7.com/community/infosec/blog/2017/04/25/r7-2017-02-hyundai-blue-link-potential-info-disclosure-fixed", "refsource": "MISC", "url": "https://community.rapid7.com/community/infosec/blog/2017/04/25/r7-2017-02-hyundai-blue-link-potential-info-disclosure-fixed"}]}}}}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2017-6052", "datePublished": "2017-04-26T14:00:00", "dateReserved": "2017-02-16T00:00:00", "dateUpdated": "2017-04-27T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hyundaiusa:blue_link:3.9.4:*:*:*:*:*:*:*", "matchCriteriaId": "311E002C-207A-428E-984A-EF4D30E30654", "vulnerable": true}, {"criteria": "cpe:2.3:a:hyundaiusa:blue_link:3.9.5:*:*:*:*:*:*:*", "matchCriteriaId": "638386D0-BB98-4B19-9969-4D5E74C4FAE9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Man-in-the-Middle issue was discovered in Hyundai Motor America Blue Link 3.9.5 and 3.9.4. Communication channel endpoints are not verified, which may allow a remote attacker to access or influence communications between the identified endpoints."}, {"lang": "es", "value": "Vulnerabilidad de tipo man-in-the-middle descubierta en las versiones 3.9.5 y 3.9.4 de Blue Link de Hyundai Motor America. La vulnerabilidad se basa en que los extremos del canal de comunicaci\u00f3n no est\u00e1n autenticados, lo que permitir\u00eda a un atacante remoto interceptar o influir en las comunicaciones entre ambos extremos."}], "id": "CVE-2017-6052", "lastModified": "2019-10-09T23:28:38.793", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 5.5, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-04-26T14:59:00.160", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/98033"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory"], "url": "https://community.rapid7.com/community/infosec/blog/2017/04/25/r7-2017-02-hyundai-blue-link-potential-info-disclosure-fixed"}, {"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-17-115-03"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-300"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}