Lucene search

ZdiCVELIST:CVE-2023-32156

HistoryMay 03, 2024 - 1:56 a.m.

CVE-2023-32156 Tesla Model 3 Gateway Firmware Signature Validation Bypass Vulnerability

2024-05-0301:56:38

CWE-367

zdi

www.cve.org

tesla

model 3

gateway

firmware

signature validation

bypass

vulnerability

arbitrary code execution

network-adjacent attackers

privileged code

infotainment system

firmware updates

improper error-handling

gateway ecu

zdi-can-20734

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

28.8%

JSON

Tesla Model 3 Gateway Firmware Signature Validation Bypass Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Tesla Model 3 vehicles. An attacker must first obtain the ability to execute privileged code on the Tesla infotainment system in order to exploit this vulnerability.

The specific flaw exists within the handling of firmware updates. The issue results from improper error-handling during the update process. An attacker can leverage this vulnerability to execute code in the context of Tesla’s Gateway ECU.
. Was ZDI-CAN-20734.

CNA Affected

[
  {
    "vendor": "Tesla",
    "product": "Model 3",
    "versions": [
      {
        "version": "Model 3 - 2023.6",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

www.zerodayinitiative.com/advisories/ZDI-23-972/

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

28.8%

JSON

Related for CVELIST:CVE-2023-32156