SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-516896176] Hyundai Motor America Blue Link

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-04-25OtherHyundai Motor AmericaThese vulnerabilities were discovered by Will Hatzer and Arjun Kumar working with Rapid7. N/ACVE-2017-6052 CVE-2017-6054 N/AN/AN/A

Source

						
							
								
#
# Hyundai Motor America Blue Link
#


### VULNERABLE VENDOR
Hyundai Motor America


### VULNERABLE PRODUCT
Blue Link



### RESEARCHER
These vulnerabilities were discovered by Will Hatzer and Arjun Kumar working with Rapid7.



### AFFECTED PRODUCTS

The following versions of Blue Link, a mobile application for Hyundai vehicle management, are affected:

Blue Link Version 3.9.5, and
Blue Link Version 3.9.4.



### IMPACT

Successful exploitation of these vulnerabilities may allow a remote attacker to gain access to insecurely transmitted sensitive information, which could allow the attacker to locate, unlock, and start a vehicle associated with the affected application.
Rapid7 working with Hyundai Motor America reports that it would be difficult to impossible to conduct this attack at scale, since an attacker would typically need to first subvert physically local networks, or gain a privileged position on the network path from the app user to their service instance.



### VULNERABILITY OVERVIEW

MAN-IN-THE-MIDDLE CWE-300
Communication channel endpoints are not verified, which may allow a remote attacker to access or influence communications between the identified endpoints.
CVE-2017-6052 has been assigned to this vulnerability.
A CVSS v3 base score of 4.6 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)


USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321
The application uses a hard-coded decryption password to protect sensitive user information.
CVE-2017-6054 has been assigned to this vulnerability.
A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)





### BACKGROUND

Critical Infrastructure Sector(s): Transportation Systems
Countries/Areas Deployed: United States
Company Headquarters Location: Fountain Valley, California




### MITIGATION

Hyundai Motor America released Blue Link, Version 3.9.6, a mandatory update to the application, which mitigates the aforementioned vulnerabilities on March 6, 2017, for Android devices and March 8, 2017, for iOS devices.

Rapid7 has released a security advisory that can be found at https://community.rapid7.com/community/infosec/blog/2017/04/25/r7-2017-02-hyundai-blue-link-potential-info-disclosure-fixed