Vulnerability Details : CVE-2021-23908
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A type confusion issue affects MultiSvSetAttributes in the HiQnet Protocol, leading to remote code execution.
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2021-23908
Probability of exploitation activity in the next 30 days: 2.94%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 91 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-23908
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
|
2.9
|
LOW | CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N |
0.4
|
2.5
|
MITRE |
|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2021-23908
-
The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-23908
-
https://media.daimler.com/marsMediaSite/en/instance/ko.xhtml?oid=49946866
Collaboration of Mercedes-Benz and Tencent Security Keen Lab to strengthen car IT security - Daimler Global Media SiteThird Party Advisory
-
https://keenlab.tencent.com/en/2021/05/12/Tencent-Security-Keen-Lab-Experimental-Security-Assessment-on-Mercedes-Benz-Cars/
Tencent Security Keen Lab: Experimental Security Assessment of Mercedes-Benz Cars | Keen Security Lab BlogThird Party Advisory
-
https://keenlab.tencent.com/en/whitepapers/Mercedes_Benz_Security_Research_Report_Final.pdf
Exploit;Third Party Advisory
Products affected by CVE-2021-23908
- cpe:2.3:a:mercedes-benz:headunit_ntg6_mercedes-benz_user_experience:2021:*:*:*:*:*:*:*