Exploitalert - Database of Exploits

Comma Openpilot Insecure Default Configuration

CVE	Category	Price	Severity
CVE-2021-38970	CWE-306	Not available	High

Author	Risk	Exploitation Type	Date
Felix von Leitner	High	Local	2022-06-05

CPE
cpe:cpe:/a:comma:openpilot:.*

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H	0.55415	0.9814

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	None	C	There is no impact on the confidentiality of the system; the attacker does not gain the ability to read any data.
Integrity	Low	I	Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2022060015

Comma Openpilot Insecure Default Configuration

===== Intro ===== Comma is a company that makes open source driver assist technology for automobiles. Openpilot is the brains of the comma two device. You can choose to give your car a software upgrade to perform automated functions better. It utilizes or improves upon the experience of Adaptive Cruise Control, Automated Lane Centering, Forward Collision Warning and Lane Departure Warning while also adding Driver Monitoring as a safety feature. This competes with the likes of Tesla Autopilot and GM Super Cruise, except that its open source software. Openpilot deploys a bunch of local services written in Python to facilitate data going from the car to Comma devices and visa-versa. To get an in-depth view of how this works, refer to https://desosa.nl/projects/openpilot/2020/03/11/from-vision-to-architecture.html for a more complete explanation and design diagram. After evaluating and testing various local and remote attack vectors on the system, mostly around device permissions, hardening core processes and SSH access to the device, the product seemed pretty solid. A few security suggestions were shared with the dev team and changes were made by the dev team, see the Fixes section below for more details. ======= Details ======= See https://i.haxx.cc/2021/01/25/who-wants-to-drive/ for a full walkthrough. openpilot-scan.sh was created to check for devices on your local network that allow login with the default SSH key. -> https://packetstormsecurity.com/files/160735/Openpilot-Default-SSH-Key-Scanner.html ===== Fixes ===== - Device permissions -- https://github.com/commaai/openpilot/pull/21922/commits/56114a9db7360e8ab13393d1a5de83fde30e28da - Processes running as non-root -- "Openpilot can now mostly run as a non-privileged user" - SSH key -- "We removed the default SSH key in the latest NEOS update and SSH is now turned off by default. We require the user to turn this on manually now and can only be used with their public keys from their github." - Warning for URLs other than Openpilot official -- WONTFIX

Impressum