CVE-2017-14937

Name of the Vulnerable Software and Affected Versions Airbag control units (aka pyrotechnical control units or PCUs) of unspecified passenger vehicles manufactured in 2014 or later

Description The issue allows injury to passenger-car occupants via predictable Security Access (SA) data to the internal CAN bus. This occurs when the ignition is on and the speed is less than 6 km/h. The problem is attributed to only 256 possible key pairs and no rate limit on authentication attempts. Furthermore, an interpretation of the ISO 26021 standard may require the key to be calculable directly. Exploitation typically involves an attacker with access to the CAN bus, sending a crafted Unified Diagnostic Service (UDS) message to detonate the pyrotechnical charges, posing passenger-injury risks similar to those of any airbag deployment.

Recommendations For airbag control units of unspecified passenger vehicles manufactured in 2014 or later, consider implementing rate limiting on authentication attempts to the Security Access (SA) data as a temporary mitigation measure. Restrict access to the CAN bus to minimize the risk of exploitation. Avoid using the UDS message in the affected system until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.