Vulnerability Details : CVE-2017-3217
CalAmp LMU 3030 series OBD-II CDMA and GSM devices has an SMS (text message) interface that can be deployed where no password is configured for this interface by the integrator / reseller. This interface must be password protected, otherwise, the attacker only needs to know the phone number of the device (via an IMSI Catcher, for example) to send administrative commands to the device. These commands can be used to provide ongoing, real-time access to the device and can configure parameters such as IP addresses, firewall rules, and passwords.
Products affected by CVE-2017-3217
- cpe:2.3:o:calamp:lmu_3030_obd-ii_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:calamp:lmu_3030_cdma_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:calamp:lmu_3030_gsm_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-3217
0.21%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 59 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-3217
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2017-3217
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by:
- cret@cert.org (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2017-3217
-
https://www.kb.cert.org/vuls/id/251927
VU#251927 - CalAmp LMU-3030 devices may not authenticate SMS interfaceThird Party Advisory;US Government Resource
-
https://www.securityfocus.com/bid/98964
CalAmp LMU-3030 Devices CVE-2017-3217 Authentication Bypass VulnerabilityThird Party Advisory;VDB Entry
Jump to