MidnightBSD

Advisories for kia

CVE-2020-8539 MEDIUM

Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities. In addition, this executable may be used by an attacker to inject commands to generate CAN frames that are sent into the M-CAN bus (Multimedia CAN bus) of the vehicle.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-276,

Products Affected

Vendor Product Version
kia head_unit_firmware sop.003.30.18.0703
kia head_unit_firmware sop.007.1.191209
kia head_unit_firmware sop.005.7.181019
CVE-2022-37418

The Remote Keyless Entry (RKE) receiving unit on certain Nissan, Kia, and Hyundai vehicles through 2017 allows remote attackers to perform unlock operations and force a resynchronization after capturing two consecutive valid key fob signals over the radio, aka a RollBack attack. The attacker retains the ability to unlock indefinitely.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H 1.2 5.2

Products Affected

Vendor Product Version
kia kia_firmware *
nissan nissan_firmware *
hyundai hyundai_firmware *