CVE-2015-2906

2015-08-2321:59:02

[email protected]

web.nvd.nist.gov

cve

mdi

obd-ii

dongles

firmware

vulnerability

metromile

pulse

ssh

keys

remote attackers

nvd

9 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

6.8 Medium

AI Score

Confidence

Low

0.003 Low

EPSS

Percentile

68.1%

JSON

Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, store SSH private keys that are the same across different customers’ installations, which makes it easier for remote attackers to obtain access by leveraging knowledge of a private key from another installation.

Affected configurations

NVD

Node

mobile_devicesc4_obd-ii_dongle_firmwareRange≤3.4

CPENameOperatorVersion
mobile_devices:c4_obd-ii_dongle_firmwaremobile devices c4 obd-ii dongle firmwarele3.4

CPE	Name	Operator	Version
mobile_devices:c4_obd-ii_dongle_firmware	mobile devices c4 obd-ii dongle firmware	le	3.4

CNA Affected

[
  {
    "product": "Mobile Devices (MDI) OBD-II dongles",
    "vendor": "Munic ",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "2.x",
        "versionType": "custom"
      },
      {
        "version": "0",
        "status": "affected",
        "lessThan": "3.4.x",
        "versionType": "custom"
      }
    ]
  }
]