CVE-2023-28899 - OpenCVE

By sending a specific reset UDS request via OBDII port of Skoda vehicles, it is possible to cause vehicle engine shutdown and denial of service of other vehicle components even when the vehicle is moving at a high speed. No safety critical functions affected.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Skoda-auto	Superb 3 Superb 3 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:skoda-auto:superb_3_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:skoda-auto:superb_3:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://asrg.io/security-advisories/cve-2023-28899

History

No history.

MITRE

Status: PUBLISHED

Assigner: ASRG

Published: 2024-01-12T16:32:07.082Z

Updated: 2024-08-02T13:51:39.129Z

Reserved: 2023-03-27T14:51:13.968Z

Link: CVE-2023-28899

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-12T17:15:09.000

Modified: 2024-01-22T19:52:12.817

Link: CVE-2023-28899

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28899", "assignerOrgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "state": "PUBLISHED", "assignerShortName": "ASRG", "dateReserved": "2023-03-27T14:51:13.968Z", "datePublished": "2024-01-12T16:32:07.082Z", "dateUpdated": "2024-08-02T13:51:39.129Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Superb III", "vendor": "\u0160koda", "versions": [{"lessThanOrEqual": "2022", "status": "affected", "version": "0", "versionType": "2.0 TDI"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Abdellah Benotsmane (PCAutomotive)"}, {"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Danila Parnishchev (PCAutomotive)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "By sending a specific reset UDS request via OBDII port of Skoda vehicles, it is possible to cause vehicle engine shutdown and denial of service of other vehicle components even when the vehicle is moving at a high speed. No safety critical functions affected. "}], "value": "By sending a specific reset UDS request via OBDII port of Skoda vehicles, it is possible to cause vehicle engine shutdown and denial of service of other vehicle components even when the vehicle is moving at a high speed. No safety critical functions affected.\u00a0"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "c15abc07-96a9-4d11-a503-5d621bfe42ba", "shortName": "ASRG", "dateUpdated": "2024-01-12T16:32:07.082Z"}, "references": [{"url": "https://asrg.io/security-advisories/cve-2023-28899"}], "source": {"discovery": "EXTERNAL"}, "title": "Denial of Service via ECU reset service", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T13:51:39.129Z"}, "title": "CVE Program Container", "references": [{"url": "https://asrg.io/security-advisories/cve-2023-28899", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:skoda-auto:superb_3_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "A672066E-F623-4330-800B-C88631224BCC", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:skoda-auto:superb_3:-:*:*:*:*:*:*:*", "matchCriteriaId": "4459588C-A162-465D-BCC1-4719B657DBDD", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "By sending a specific reset UDS request via OBDII port of Skoda vehicles, it is possible to cause vehicle engine shutdown and denial of service of other vehicle components even when the vehicle is moving at a high speed. No safety critical functions affected.\u00a0"}, {"lang": "es", "value": "Al enviar una solicitud de reinicio UDS espec\u00edfica a trav\u00e9s del puerto OBDII de los veh\u00edculos Skoda, es posible provocar el apagado del motor del veh\u00edculo y la denegaci\u00f3n de servicio de otros componentes del veh\u00edculo incluso cuando el veh\u00edculo se mueve a alta velocidad. Ninguna funci\u00f3n cr\u00edtica de seguridad se ve afectada."}], "id": "CVE-2023-28899", "lastModified": "2024-01-22T19:52:12.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "cve@asrg.io", "type": "Secondary"}]}, "published": "2024-01-12T17:15:09.000", "references": [{"source": "cve@asrg.io", "tags": ["Third Party Advisory"], "url": "https://asrg.io/security-advisories/cve-2023-28899"}], "sourceIdentifier": "cve@asrg.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}