Fountain Valley, California-based Hyundai Motor America released a new version to mitigate a man-in –the-middle and use of hard-coded cryptographic key vulnerabilities in its Blue Link application, according to a report with ICS-CERT.
Successful exploitation of these vulnerabilities, discovered by Will Hatzer and Arjun Kumar working with Rapid7, could allow a remote attacker to gain access to insecurely transmitted sensitive information, which could allow the attacker to locate, unlock, and start a vehicle associated with the affected application.
The following versions of Blue Link, a mobile application for Hyundai vehicle management, suffer from the remotely exploitable issue:
• Blue Link Version 3.9.5
• Blue Link Version 3.9.4
Rapid7 working with Hyundai Motor America said it would be difficult to impossible to conduct this attack at scale, since an attacker would typically need to first subvert physically local networks, or gain a privileged position on the network path from the app user to their service instance.
No known public exploits specifically target these vulnerabilities. High skill level is needed to exploit.
For the man-in-the-middle vulnerability, communication channel endpoints are not verified, which could allow a remote attacker to access or influence communications between the identified endpoints.
CVE-2017-6052 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.6.
In addition, the application uses a hard-coded decryption password to protect sensitive user information.
CVE-2017-6054 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees use in the transportation systems sector. It sees action mainly in the United States.
Hyundai Motor America released Blue Link, Version 3.9.6, a mandatory update to the application, which mitigates the vulnerabilities on March 6 for Android devices and March 8 for iOS devices.
Click here to view Rapid7’s security advisory.