汽車產品安全平台中發現的漏洞可能允許遠端執行程式碼

2024年2月26日
VicOne
汽車產品安全平台中發現的漏洞可能允許遠端執行程式碼

Security researchers at QAX StarV Security Lab and China Automotive Engineering Research Institute (CAERI) recently published an advisory on a vulnerability they discovered last year in Cybellum’s automotive product security platform. Designated with the identifier CVE-2023-42419, the vulnerability allows unauthorized access to the host system and retrieval of a private key for signing and encrypting shell scripts. These scripts, executed via an API call, are considered legitimate if signed with the compromised key, enabling remote code execution (RCE). 

The researchers found a function called execute_rce, but it turned out to be a legitimate API within the product. However, the vulnerability arises from the ease with which the encryption key — used for signing, encrypting, and decrypting uploaded files — can be obtained. This vulnerability potentially allows for the abuse of this API to carry out malicious RCE, that is, malicious actors could exploit the vulnerability to run arbitrary code or commands. The researchers reported the vulnerability to Cybellum in June 2023, and in a security update posted on Feb. 21, Cybellum said that it had implemented a permanent fix in version 2.28 of the affected software (its QCOW air-gapped distribution, exclusively deployed in China).

Vulnerabilities that could lead to RCE were also recently identified in the IT industry, in the form of flaws in virtual private network (VPN) software products from Ivanti and in a remote desktop software product from ConnectWise. RCE represents a significant security threat as it enables attackers to gain control over remote systems, positioning it among the most critical security issues. 

The potential impact of such vulnerabilities underscores the importance of continuous quality control across the overall software life cycle, from development phase to operating phase:  

  • Integration of automotive security and IT security. It is recommended for automotive cybersecurity product vendors to have expertise in both the automotive and IT industries to ensure the delivery of secure products and cloud services. It is also important to assess whether vendors’ product and software development projects comply with automotive and IT–related standards such as ASPICE and ISO/IEC 27017. 
  • Security response in action. Implementing a streamlined security incident handling process enables organizations to promptly activate relevant procedures for identifying, assessing, and addressing risks associated with security vulnerabilities across their products. This makes it easier for stakeholders to take relevant actions toward risk mitigation. 
  • Security at the forefront. As cybersecurity is continuously evolving, establishing a comprehensive security policy ensures that both existing employees and new hires can follow a shared policy, including cybersecurity management, cybersecurity plan guidelines, software security policy, continuous improvement programs, and continuous training programs. 

VicOne新聞與觀點

深入瞭解汽車網路安全

  • 為CRA做好準備:一站式平台,簡化合規流程
    部落格與觀點
    2025年7月14日
    歐盟《資安韌性法(EU Cyber Resilience Act, CRA)》制定了針對包含數位元素的產品 (PDE) 的網路安全要求。這意味著供應鏈中的製造商必須監控漏洞,並在發現漏洞後立即報告,否則將面臨巨額罰款。在這樣的法規環境下,製造商亟需一套能主動監測漏洞並進行軟體物料清單(SBOM)管理的解決方案,以確保合規與資安同步到位。
    閱讀更多
  • CVE-2025-6019:一個影響 AGL 及未來SDV的權限提升漏洞
    部落格與觀點
    2025年6月25日
    一個最近揭露的 Linux 漏洞顯示,看似普通的錯誤,正逐漸開始影響軟體定義車輛(SDV)。我們解析 CVE-2025-6019、探討它對 Automotive Grade Linux(AGL)的影響,以及它對車載網路安全所代表的意義。
    閱讀更多
  • 使用單一 STM32 開發板複製 RAMN:經濟高效地實踐探索
    部落格與觀點
    2025年5月26日
    這是一篇針對車廠先進網路開發或是相關研究人員的實務實作指南。內容介紹如何深入研究先進車載網路的一種實用且經濟高效的方法,而這僅需使用一塊 STM32 板即可複製全尺寸抗干擾汽車微型網路 (RAMN) 的核心功能。這個實務實作指南中,我們將逐步介紹設定流程,讓車廠工程師和領域愛好者能夠使用最少的硬體來製作逼真可用來測試的汽車通訊系統的原型。
    閱讀更多
  • LockBit 勒索病毒集團資料外洩:對汽車網路安全的影響
    部落格與觀點
    2025年5月21日
    最近一起LockBit 勒索病毒集團的遭駭入侵事件,揭露了大量內部聊天紀錄,讓外界得以一窺該集團如何鎖定受害對象並進行勒索。其中,汽車公司以成為其主要攻擊焦點之一。我們將深入剖析此次資料外洩的關鍵發現,並提出務實的做法步驟,讓車廠面對LockBit 或類似的網路攻擊事件得以採取適當的防範措施。
    閱讀更多
閱讀最新報告

馬上體驗更先進的汽車網路安全防護

預約專人展示