Published:2020/07/29  Last Updated:2020/08/04

JVN#40400577
TOYOTA MOTOR's Global TechStream vulnerable to buffer overflow

Overview

TOYOTA MOTOR's Global TechStream (GTS) contains a buffer overflow vulnerability.

Products Affected

  • Global TechStream (GTS) for TOYOTA dealers version 15.10.032 and earlier

Description

Global TechStream (GTS) is a diagnostic tool that Toyota Motor Corporation provides for Toyota dealers technicians to utilize.
Global TechStream (GTS) contains a buffer overflow vulnerability (CWE-121).

Impact

An attacker may execute arbitrary code or cause a denial of service (DoS) condition.

Solution

Update the Software
The developer states that the update fixing this vulnerability is available.

For the details, refer to [Vendor Status].

Vendor Status

Vendor Link
TOYOTA MOTOR CORPORATION TOYOTA diagnosis Tool Web Page (TOYOTA dealers only)

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Base Score: 4.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:L/AC:M/Au:N/C:P/I:P/A:P
Base Score: 4.4
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Tomoya Kitagawa of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2020-5610
JVN iPedia JVNDB-2020-000049

Update History

2020/08/04
Fixed the information under the section [Description].