CVE-2022-37305 : The Remote Keyless Entry (RKE) receiving unit on certain Honda vehicles through

The Remote Keyless Entry (RKE) receiving unit on certain Honda vehicles through 2018 allows remote attackers to perform unlock operations and force a resynchronization after capturing five consecutive valid RKE signals over the radio, aka a RollBack attack. The attacker retains the ability to unlock indefinitely.

Published 2022-08-24 06:15:08

Updated 2022-08-31 15:45:35

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2022-37305

Honda » Honda Firmware
Versions up to, including, (<=) 2018
cpe:2.3:o:honda:honda_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Honda » Honda » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2022-37305

EPSS FAQ

0.44%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 60 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-37305

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.4	MEDIUM	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H	1.2	5.2	NIST
Attack Vector: Adjacent Network Attack Complexity: High Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: High

CWE ids for CVE-2022-37305

CWE-294 Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-37305

https://hackaday.com/2022/08/17/rollback-breaks-into-your-car/

RollBack Breaks Into Your Car | Hackaday
Exploit;Third Party Advisory

CVEs referencing this url
https://www.youtube.com/playlist?list=PLYodcy84oQL1gxwiuRm13xRXxTQL9cO5t

Before you continue to YouTube
Exploit;Third Party Advisory

CVEs referencing this url
https://www.blackhat.com/us-22/briefings/schedule/#rollback---a-new-time-agnostic-replay-attack-against-the-automotive-remote-keyless-entry-systems-27185

RollBack - A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems - Black Hat USA 2022 | Briefings Schedule
Exploit;Third Party Advisory

CVEs referencing this url
https://www.pcmag.com/news/is-your-car-key-fob-vulnerable-to-this-simple-replay-attack

Is Your Car Key Fob Vulnerable to This Simple Replay Attack? | PCMag
Press/Media Coverage;Third Party Advisory

CVEs referencing this url
https://medium.com/codex/rollback-a-new-time-agnostic-replay-attack-against-the-automotive-remote-keyless-entry-systems-df5f99ba9490

RollBack - A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems | by cs.lev | Medium | CodeX
Exploit;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-37305

Products affected by CVE-2022-37305

Exploit prediction scoring system (EPSS) score for CVE-2022-37305

CVSS scores for CVE-2022-37305

CWE ids for CVE-2022-37305

References for CVE-2022-37305