CVE-2023-26243 : An issue was discovered in the Hyundai Gen5W

An issue was discovered in the Hyundai Gen5W_L in-vehicle infotainment system AE_E_PE_EUR.S5W_L001.001.211214. The decryption binary used to decrypt firmware files has an information leak that allows an attacker to read the AES key and initialization vector from memory. An attacker may exploit this to create custom firmware that may be installed in the IVI system. Then, an attacker may be able to install a backdoor in the IVI system that may allow him to control it, if it is connected to the Internet through Wi-Fi.

Published 2023-04-27 01:15:08

Updated 2025-01-31 19:15:12

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2023-26243

Hyundai » Gen5w L In-vehicle Infotainment System Firmware » Version: 5w.xxx.s5w L.001.001.221129
cpe:2.3:o:hyundai:gen5w_l_in-vehicle_infotainment_system_firmware:5w.xxx.s5w_l.001.001.221129:*:*:*:*:*:*:*
Matching versions
When used together with: Hyundai » Gen5w L In-vehicle Infotainment System » Version: N/A
Hyundai » Gen5w L In-vehicle Infotainment System Firmware » Version: Ae E Pe Eur.s5w L001.001.211214
cpe:2.3:o:hyundai:gen5w_l_in-vehicle_infotainment_system_firmware:ae_e_pe_eur.s5w_l001.001.211214:*:*:*:*:*:*:*
Matching versions
When used together with: Hyundai » Gen5w L In-vehicle Infotainment System » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2023-26243

EPSS FAQ

0.05%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 13 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-26243

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-01-31
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-26243

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-26243

https://sowhat.iit.cnr.it:8443/can-work/chimaera/-/blob/main/Report/IIT-01-2023.pdf

Report/IIT-01-2023.pdf · main · Can Work / CHIMAERA · GitLab
Exploit;Third Party Advisory

CVEs referencing this url
https://sowhat.iit.cnr.it:8443/can-work/chimaera

Can Work / CHIMAERA · GitLab
Exploit;Third Party Advisory

CVEs referencing this url
https://sowhat.iit.cnr.it

sowhat | Security Of the Way to Handle Automotive sysTems
Not Applicable

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-26243

Products affected by CVE-2023-26243

Exploit prediction scoring system (EPSS) score for CVE-2023-26243

CVSS scores for CVE-2023-26243

CWE ids for CVE-2023-26243

References for CVE-2023-26243