SB2022101011 - Multiple vulnerabilities in Tesla Model 3

Description

This security bulletin contains information about 2 vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2022-42430)

CWE-ID: CWE-416 - Use After Free

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the handling of the wowlan_config data structure. A local user can escalate privileges and execute arbitrary code on the target system.

2) Buffer overflow (CVE-ID: CVE-2022-42431)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the bcmdhd driver. A local user can trigger memory corruption and execute arbitrary code on the target system with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://www.zerodayinitiative.com/advisories/ZDI-22-1406/
• https://www.zerodayinitiative.com/advisories/ZDI-22-1407/