CVE-2023-29389
Last modified
CVE-2023-29389 is a medium-severity vulnerability rated 6.8/10 on the CVSS scale. Toyota RAV4 2021 vehicles automatically trust messages from other ECUs on a CAN bus, which allows physically proximate attackers to drive a vehicle by accessing the control CAN bus after pulling the bumper away and reaching the headlight connector, and then sending forged "Key is validated" messages via CAN Injection, as exploited in the wild in (for example) July 2022.. EPSS estimates a 0.66% chance of exploitation in the next 30 days.
Description
Toyota RAV4 2021 vehicles automatically trust messages from other ECUs on a CAN bus, which allows physically proximate attackers to drive a vehicle by accessing the control CAN bus after pulling the bumper away and reaching the headlight connector, and then sending forged "Key is validated" messages via CAN Injection, as exploited in the wild in (for example) July 2022.
Metrics
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Toyota | Rav4 Firmware | 2021 |
References
- https://kentindell.github.io/2023/04/03/can-injection/Exploit, Third Party Advisory
- https://news.ycombinator.com/item?id=35452963Issue Tracking
- https://kentindell.github.io/2023/04/03/can-injection/Exploit, Third Party Advisory
- https://news.ycombinator.com/item?id=35452963Issue Tracking
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-29389?
How severe is CVE-2023-29389?
How do I fix CVE-2023-29389?
Are you affected by CVE-2023-29389?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST