CVE-2018-1170

Name of the Vulnerable Software and Affected Versions Volkswagen Customer-Link App version 1.30 HTC Customer-Link Bridge (affected versions not specified)

Description This issue allows adjacent attackers to inject arbitrary Controller Area Network messages on vulnerable installations. Authentication is not required to exploit this issue. The specific flaw exists within the Customer-Link App and Customer-Link Bridge, resulting from the lack of a proper protection mechanism against unauthorized firmware updates. An attacker can leverage this issue to inject CAN messages.

Recommendations For Volkswagen Customer-Link App version 1.30, update the protection mechanism to prevent unauthorized firmware updates. For HTC Customer-Link Bridge, implement proper protection against unauthorized firmware updates to prevent CAN message injection. As a temporary workaround, consider restricting access to the firmware update mechanism in both the Customer-Link App and the Customer-Link Bridge until a proper fix is available.