CVE-2023-28911

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-28911

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

A

specific flaw exists within the Bluetooth stack of the MIB3 infotainment. The issue results from the lack of proper validation of user-supplied data, which can result in an arbitrary channel disconnection. An attacker can leverage this vulnerability to cause a denial-of-service attack for every connected client of the infotainment device. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources.

References
Link Resource
https://asrg.io/security-advisories/vulnerabilities-in-volkswagen-mib3-infotainment-part-2/
https://i.blackhat.com/EU-24/Presentations/EU-24-Parnishchev-OverTheAirVW.pdf
https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-vw-mib3-infotainment-2
Configurations

No configuration.

History

30 Jun 2025, 18:38

Type Values Removed Values Added
Summary
  • (es) Existe una falla específica en la pila Bluetooth del sistema de infoentretenimiento MIB3. El problema se debe a la falta de una validación adecuada de los datos proporcionados por el usuario, lo que puede provocar la desconexión arbitraria de un canal. Un atacante puede aprovechar esta vulnerabilidad para lanzar un ataque de denegación de servicio (DPS) a cada cliente conectado al dispositivo de infoentretenimiento. La vulnerabilidad se descubrió originalmente en el Skoda Superb III con unidad de infoentretenimiento MIB3 con número de pieza OEM 3V0035820. La lista de números de pieza OEM MIB3 afectados se proporciona en los recursos referenciados.

28 Jun 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-28 16:15

Updated : 2025-06-30 18:38

NVD link : CVE-2023-28911

Mitre link : CVE-2023-28911

CVE.ORG link : CVE-2023-28911

JSON object : View

Products Affected

No product.

CWE
CWE-20

Improper Input Validation