November 8, 2024 at 12:53PM
Several vulnerabilities in the Mazda Connect infotainment system, affecting multiple models, allow attackers to execute arbitrary code and gain root access. The issues, including command injection and SQL injection flaws, remain unpatched. Exploitation requires physical access, but threats can arise in various contexts, posing significant risks to vehicle safety.
### Meeting Takeaways: Mazda Connect Infotainment Vulnerabilities
#### Summary of Issues
– Multiple vulnerabilities in the Mazda Connect infotainment unit can be exploited by attackers to execute arbitrary code with root permissions.
– The affected models include the Mazda 3 (2014-2021).
– The vulnerabilities remain unpatched, raising concerns about vehicle operation and safety.
#### Vulnerability Details
– **Affected Unit**: Mazda Connect Connectivity Master Unit from Visteon, originally developed by Johnson Controls.
– **Current Firmware Version**: 74.00.324A (no public vulnerabilities reported for this version).
#### Identified Vulnerabilities:
1. **CVE-2024-8355**: SQL Injection in DeviceManager – Allows database manipulation through malicious input from a spoofed Apple device.
2. **CVE-2024-8359**: Command Injection in REFLASH_DDU_FindFile – Permits execution of arbitrary commands through unsanitized file paths.
3. **CVE-2024-8360**: Command Injection in REFLASH_DDU_ExtractFile – Similar command execution capability via file path inputs.
4. **CVE-2024-8358**: Command Injection in UPDATES_ExtractFile – Allows command execution during the update process by embedding commands in file paths.
5. **CVE-2024-8357**: Missing Root of Trust in App SoC – Lacks security checks during the boot process, enabling sustained control after an attack.
6. **CVE-2024-8356**: Unsigned Code in VIP MCU – Enables the upload of unauthorized firmware, potentially granting control over vehicle subsystems.
#### Exploitability and Risks
– **Access Requirements**: Physical access to the infotainment system is necessary for exploitation.
– **Method of Attack**: An attacker can use a USB device to deploy an attack within minutes.
– **Potential Consequences**:
– Database manipulation
– Information disclosure
– Creation of arbitrary files
– Execution of arbitrary OS commands leading to system compromise
– Gaining persistence and executing code before the OS boots
– **Critical Risks**: Exploitation of CVE-2024-8356 can lead to access to connected vehicle systems, including ECUs for engine and brakes, posing significant safety risks.
#### Expert Statements
– Dmitry Janushkevich highlighted that unauthorized physical access can be obtained easily, particularly in settings like valet parking or vehicle service.
– The attack can be executed quickly (within minutes) and has the potential for severe outcomes, including denial of service or ransomware attacks.
### Action Items
– Develop and implement security patches for the identified vulnerabilities.
– Increase awareness of physical access risks in service and valet scenarios.
– Monitor for reports of potential exploits leveraging these vulnerabilities.