Lucene search

ASRGCVE-2023-6073

HistoryNov 10, 2023 - 8:15 a.m.

CVE-2023-6073

2023-11-1008:15:08

CWE-20

CWE-284

ASRG

web.nvd.nist.gov

cve-2023-6073

dos attack

icas 3

ivi ecu

volkswagen id.3

vw group

rest api

CVSS3

6.3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

AI Score

6.3

Confidence

High

EPSS

Percentile

9.0%

JSON

Attacker can perform a Denial of Service attack to crash the ICAS 3 IVI ECU in a Volkswagen ID.3 (and other vehicles of the VW Group with the same hardware) and spoof volume setting commands to irreversibly turn on audio volume to maximum via REST API calls.

Affected configurations

Nvd

Node

volkswagenid.3_firmwareRange<3.2

AND

volkswagenid.3Match-

VendorProductVersionCPE
volkswagenid.3_firmware*cpe:2.3:o:volkswagen:id.3_firmware:*:*:*:*:*:*:*:*
volkswagenid.3-cpe:2.3:h:volkswagen:id.3:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
volkswagen	id.3_firmware	*	cpe:2.3:o:volkswagen:id.3_firmware::::::::
volkswagen	id.3	-	cpe:2.3:h:volkswagen:id.3:-:::::::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "ICAS 3 IVI ECU"
    ],
    "product": "ID.3",
    "vendor": "Volkswagen",
    "versions": [
      {
        "lessThan": "3.2",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

asrg.io/cve-2023-6073-dos-and-control-of-volume-settings-for-vw-id-3-icas3-ivi-ecu/

CVSS3

6.3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

AI Score

6.3

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for CVE-2023-6073