ZF Roll Stability Support Plus (RSSPlus)

Monitor5.4ICS-CERT ICSA-25-021-03Jan 21, 2025

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

ZF RSSPlus 2M brake control systems contain a weakness in J2497 powerline communication that allows unauthenticated diagnostic function calls. An attacker with RF equipment positioned near a vehicle can exploit this to impact brake system availability and integrity. The vulnerability affects RSSPlus builds dated from 01/08 through 01/23, with no vendor patch available. The issue stems from improper authentication in the diagnostic function implementation.

What this means

What could happen

An attacker within RF range could call diagnostic functions on ZF RSSPlus brake control systems without authentication, potentially disrupting vehicle braking availability or altering brake settings that affect driver safety and vehicle operation.

Who's at risk

Fleet operators and transport companies using ZF Roll Stability Support Plus (RSSPlus) on heavy-duty trucks, trailers, and tractors with J2497 powerline communication systems. Particularly relevant to trucking fleets, construction equipment operators, and agricultural tractor users relying on RSSPlus for brake stability and safety functions.

How it could be exploited

An attacker with RF equipment positioned near trucks or trailers using RSSPlus can send specially crafted J2497 diagnostic messages to the brake control unit. Since the diagnostic functions lack proper authentication, the unit accepts and executes the commands without verifying the sender's identity or authority.

Prerequisites

RF equipment capable of transmitting on J2497 powerline communication frequencies
Physical proximity to the target vehicle (adjacent/proximal range)
No credentials required
Target vehicle must be running RSSPlus builds dated between 01/08 and 01/23
Vehicle must have J2497 diagnostic features enabled

remotely exploitable via RFno authentication requiredaffects safety-critical system (vehicle braking)no patch availablelow complexity attack

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

RSSPlus 2M: >=build_dates_01/08|<=build_dates_01/23≥ build dates 01/08|≤ build dates 01/23No fix (EOL)

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDDisable all J2497 diagnostic features on affected RSSPlus systems except LAMP ON detection for backward compatibility

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGImplement LAMP ON firewall for each affected brake control ECU

HARDENINGImplement dynamic address assignment on tractors to change addresses when unauthorized J2497 transmitters are detected

HARDENINGLoad LAMP keyhole signal on tractors to restrict which diagnostic messages are accepted

Mitigations - no patch available

0/4

RSSPlus 2M: >=build_dates_01/08|<=build_dates_01/23 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMigrate diagnostics to newer trailer bus technology instead of J2497 when acquiring new trailer equipment

HARDENINGRemove support for J2497 messages other than LAMP messages on new tractor equipment

HARDENINGInstall LAMP detect circuit with LAMP ON sender on each trailer

HARDENINGDeploy RF chokes between chassis ground and wiring ground on trailers to reduce RF susceptibility

CVEs (1)

CVE-2024-12054

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/46ce948f-b8bd-48ba-bd13-d9c9c121a187