Cyber Resilience

CVE-2023-3028

High

Published: 01 June 2023

Published
01 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
EPSS Score 0.0006 18.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-3028 is a high-severity Improper Authentication (CWE-287) vulnerability in Hopechart Hqt401 Firmware. Its CVSS base score is 8.6 (High).

Operationally, ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Insufficient authentication in the MQTT backend (broker) allows an attacker to access and even manipulate the telemetry data of the entire fleet of vehicles using the HopeChart HQT-401 telematics unit. Other models are possibly affected too. Multiple vulnerabilities were identified:…

more

- The MQTT backend does not require authentication, allowing unauthorized connections from an attacker. - The vehicles publish their telemetry data (e.g. GPS Location, speed, odometer, fuel, etc) as messages in public topics. The backend also sends commands to the vehicles as MQTT posts in public topics. As a result, an attacker can access the confidential data of the entire fleet that is managed by the backend. - The MQTT messages sent by the vehicles or the backend are not encrypted or authenticated. An attacker can create and post messages to impersonate a vehicle or the backend. The attacker could then, for example, send incorrect information to the backend about the vehicle's location. - The backend can inject data into a vehicle´s CAN bus by sending a specific MQTT message on a public topic. Because these messages are not authenticated or encrypted, an attacker could impersonate the backend, create a fake message and inject CAN data in any vehicle managed by the backend. The confirmed version is 201808021036, however further versions have been also identified as potentially impacted.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

hopechart
hqt401 firmware
201808021036

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-287 CWE-319

Training on authentication mechanisms and best practices decreases the occurrence of improper authentication.

addresses: CWE-287 CWE-319

Mandating documentation of security requirements for exchanges includes specifying and enforcing authentication mechanisms between systems.

addresses: CWE-287 CWE-319

Implementation guidance and monitoring requirements force proper authentication mechanisms for VoIP endpoints and sessions.

addresses: CWE-319 CWE-287

Mandates cryptographic protection of the wireless medium, eliminating cleartext transmission of sensitive information over the air.

addresses: CWE-287

Detects unauthorized successful logons resulting from improper authentication implementations.

addresses: CWE-287

Documented procedures ensure personnel are trained on authentication mechanisms, tangibly lowering the risk of improper authentication being exploited.

addresses: CWE-287

Security awareness training instructs users on secure authentication practices and avoiding credential compromise.

addresses: CWE-287

Non-repudiation requires strong authentication mechanisms to irrefutably attribute performed actions to specific individuals or processes.

References