Published:2020/07/29  Last Updated:2020/10/08

JVN#40400577
TOYOTA MOTOR's Global TechStream vulnerable to buffer overflow

Overview

TOYOTA MOTOR's Global TechStream (GTS) contains a buffer overflow vulnerability.

Products Affected

  • Global TechStream (GTS) for TOYOTA dealers and independent repairers version 15.10.032 and earlier

Description

Global TechStream (GTS) is a diagnostic tool that Toyota Motor Corporation provides for Toyota dealers technicians and independent repairers to utilize.
Global TechStream (GTS) contains a buffer overflow vulnerability (CWE-121).

Impact

An attacker may execute arbitrary code or cause a denial of service (DoS) condition.

Solution

Update the Software
The developer states that the update fixing this vulnerability is available.

For the details, refer to [Vendor Status].

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Base Score: 4.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:L/AC:M/Au:N/C:P/I:P/A:P
Base Score: 4.4
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Tomoya Kitagawa of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5610
JVN iPedia JVNDB-2020-000049

Update History

2020/08/04
Fixed the information under the section [Description].
2020/10/08
Updated the information under the section [Products Affected], [Description], and [Vendor Status].