CVE-2024-51074

Name of the Vulnerable Software and Affected Versions: KIA Seltos vehicle instrument cluster version 1.0

Description: The issue concerns incorrect access control in the KIA Seltos vehicle instrument cluster, allowing attackers to change odometer readings by targeting the instrument cluster through the unsecured CAN network. It is noted that the CAN bus is not externally exposed and the packets can only increase the odometer reading, which typically has no value to an adversary. The findings are disputed by the supplier due to the potentially unrealistic test environment and because the observed behavior follows the UDS specification.

Recommendations: For KIA Seltos vehicle instrument cluster version 1.0, consider restricting access to the instrument cluster to minimize the risk of exploitation. As a temporary workaround, disabling the ability to modify odometer readings through the CAN network may help until a more permanent solution is available. At the moment, there is no information about a newer version that contains a fix for this issue.