Attackers could exploit several vulnerabilities in the Mazda Connect infotainment unit, present in multiple car models including Mazda 3 (2014-2021), to execute arbitrary code with root permission.
The security issues remain unpatched and some of them are command injection flaws that could be leveraged to obtain unrestricted access to vehicle networks, potentially impacting the car’s operation and safety.
Vulnerability details
Researchers found the flaws in the Mazda Connect Connectivity Master Unit from Visteon, with software initially developed by Johnson Controls. They analyzed the latest version of the firmware (74.00.324A), for which there are no publicly reported vulnerabilities.
The CMU has its own community of users that modify it to improve functionality (modding). However, installing the tweaks relies on software vulnerabilities.
In a report yesterday, Trend Micro’s Zero Day Initiative (ZDI) explains that the discovered problems vary from SQL injection and command injection to unsigned code:
- CVE-2024-8355: SQL Injection in DeviceManager – Allows attackers to manipulate the database or execute code by inserting malicious input when connecting a spoofed Apple device.
- CVE-2024-8359: Command Injection in REFLASH_DDU_FindFile – Lets attackers run arbitrary commands on the infotainment system by injecting commands into file path inputs.
- CVE-2024-8360: Command Injection in REFLASH_DDU_ExtractFile – Similar to the previous flaw, it allows attackers to execute arbitrary OS commands through unsanitized file paths.
- CVE-2024-8358: Command Injection in UPDATES_ExtractFile – Allows command execution by embedding commands in file paths used during the update process.
- CVE-2024-8357: Missing Root of Trust in App SoC – Lacks security checks in the boot process, enabling attackers to maintain control over the infotainment system post-attack.
- CVE-2024-8356: Unsigned Code in VIP MCU – Allows attackers to upload unauthorized firmware, potentially granting control over certain vehicle subsystems.
Exploitability and potential risks
Exploiting the six vulnerabilities above, though, requires physical access to the infotainment system.
Dmitry Janushkevich, senior vulnerability researcher at ZDI, explains that a threat actor could connect with a USB device and deploy the attack automatically within minutes.
Despite this limitation, the researcher notes that unauthorized physical access is easily obtainable, especially in valet parking and during service at workshops or at dealerships.
According to the report, compromising a car’s infotainment system using the disclosed vulnerabilities could allow database manipulation, information disclosure, creating arbitrary files, injecting arbitrary OS commands that could lead to full compromise of the system, gaining persistence, and executing arbitrary code before the operation system boots.
By exploiting CVE-2024-8356, a threat actor could install a malicious firmware version and gain direct access to the connected controller area networks (CAN buses) and reach the vehicle’s electronic control units (ECUs) for the engine, brakes, transmission, or powertrain.
Janushkevich says that the attack chain takes just a few minutes, “from plugging in a USB drive to installing a crafted update,” in a controlled environment. However, a targeted attack could also compromise connected devices and lead to denial of service, bricking, or ransomware.
Update 11/18 – A Mazda spokesperson has sent BleepingComputer the following comment in regards to the above:
Mazda is aware of the vulnerabilities that are described in some articles. Although Mazda refrains from responding to specific measures and details, Mazda is continuing to develop technologies and implement countermeasures to remedy the vulnerabilities in the system in order to protect customer safety and assets. We refrain from responding to specifics about countermeasures.
It’s worth noting that an attack against this vulnerability requires a vehicle key (key FOB / remote transmitter), and in addition, this attack cannot be performed remotely. Therefore, we think the possibility of exploitation to be extremely low.
We apologise for any inconvenience and concern caused to our customers by this. – Mazda spokesperson
