淮海能源车,绿色出行新潮流,引领未来出行革命
随着全球气候变化和环境问题日益严重,绿色出行成为全球共识。我国政府高度重视新能源汽车产业的发展,将其作为国家战略。淮海能源车作为新...
文章目录
[+]
IT之家 1 月 11 日新闻,平安公司 Nozomi 本周二宣布申报,称具备联网功效的扳手存在 23 个破绽,在观点验证中可以安装打单软件,导致扳手无法使用。
申报中涉及的扳手为博世力士乐手持式螺母拧紧器 NXA015S-36V-B,普遍利用于汽车制作行业,在正常事情的环境下,该扳手可以让工人快速将螺栓拧紧到特定的松紧度。
(图片来源网络,侵删)
研讨职员写道:
这些破绽可以在装备上植入打单软件,从而导致临盆线歇工,并可能给资产所有者造成年夜范围经济损失。 另一种应用方式可以让威逼者在把持板载显示屏时挟制拧紧法式,对正在组装的产物造成难以察觉的毁坏,或使其无法平安使用。
在论文中,研讨职员得到了扳手的 root 权限,并安装了他们创造的一种名为“DR1LLCRYPT”的打单软件。
研讨职员表现:
这些联网扳手一旦被入侵,当地操作员就无法使用相关按钮,并且我们有才能让联网扳手完全无法运行。 我们可以转变图形用户界面(GUI),在屏幕上显示随意率性信息,要求付出赎金。鉴于这种进击很容易在浩繁装备上实现主动化,进击者可以敏捷使临盆线上的所有对象瘫痪,从而可能对终极资产所有者造成重年夜破坏。
IT之家附上破绽列表如下:
CVE IDCWECVSS v3.1 Base ScoreCVSS v3.1 VectorCVE-2023-48252Improper Authorization (CWE-285)8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HCVE-2023-48253Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HCVE-2023-48243Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HCVE-2023-48250Use of Hard-coded Credentials (CWE-798)8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HCVE-2023-48251Use of Hard-coded Credentials (CWE-798)8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HCVE-2023-48262Stack-based Buffer Overflow (CWE-121)8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HCVE-2023-48263Heap-based Buffer Overflow (CWE-122)8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HCVE-2023-48264Stack-based Buffer Overflow (CWE-121)8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HCVE-2023-48265Stack-based Buffer Overflow (CWE-121)8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HCVE-2023-48266Stack-based Buffer Overflow (CWE-121)8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HCVE-2023-48257Use of Weak Credentials (CWE-1391)7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HCVE-2023-48242Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NCVE-2023-48245Missing Authorization (CWE-862)6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:LCVE-2023-48246Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NCVE-2023-48249Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NCVE-2023-48255Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)6.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LCVE-2023-48248Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)5.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:LCVE-2023-48258Cross-Site Request Forgery (CSRF) (CWE-352)5.5CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HCVE-2023-48244Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)5.3CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LCVE-2023-48247Missing Authorization (CWE-862)5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NCVE-2023-48254Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)5.3CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LCVE-2023-48256Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') (CWE-113)5.3CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LCVE-2023-48259Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NCVE-2023-48260Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NCVE-2023-48261Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
