Unpatched Mazda Connect bugs let hackers install persistent malware

Jasper_The_Rasper · 2024-11-08T19:28:22+00:00

November 8, 2024 By Bill Toulas Attackers could exploit several vulnerabilities in the Mazda Connect infotainment unit, present in multiple car models including Mazda 3 (2014-2021), to execute arbitrary code with root permission.The security issues remain unpatched and some of them are command injection flaws that could be leveraged to obtain unrestricted access to vehicle networks, potentially impacting the car's operation and safety.Vulnerability detailsResearchers found the flaws in the Mazda Connect Connectivity Master Unit from Visteon, with software initially developed by Johnson Controls. They analyzed the latest version of the firmware (74.00.324A), for which there are no publicly reported vulnerabilities.The CMU has its own community of users that modify it to improve functionality (modding). However, installing the tweaks relies on software vulnerabilities.In a report yesterday, Trend Micro's Zero Day Initiative (ZDI) explains that the discovered problems vary from SQL injection and command injection to unsigned code:CVE-2024-8355: SQL Injection in DeviceManager – Allows attackers to manipulate the database or execute code by inserting malicious input when connecting a spoofed Apple device. CVE-2024-8359: Command Injection in REFLASH_DDU_FindFile – Lets attackers run arbitrary commands on the infotainment system by injecting commands into file path inputs. CVE-2024-8360: Command Injection in REFLASH_DDU_ExtractFile – Similar to the previous flaw, it allows attackers to execute arbitrary OS commands through unsanitized file paths. CVE-2024-8358: Command Injection in UPDATES_ExtractFile – Allows command execution by embedding commands in file paths used during the update process. CVE-2024-8357: Missing Root of Trust in App SoC – Lacks security checks in the boot process, enabling attackers to maintain control over the infotainment system post-attack. CVE-2024-8356: Unsigned Code in VIP MCU – Allows attackers to upload unauthorized firmware, potentially granting control over certain vehicle subsystems. >>Full Article<<

5 months ago
November 8, 2024
0 replies
2 views

+54

Jasper_The_Rasper
Moderator
11635 replies

November 8, 2024 By Bill Toulas

Unpatched Mazda Connect bugs let hackers install persistent malware

Attackers could exploit several vulnerabilities in the Mazda Connect infotainment unit, present in multiple car models including Mazda 3 (2014-2021), to execute arbitrary code with root permission.

The security issues remain unpatched and some of them are command injection flaws that could be leveraged to obtain unrestricted access to vehicle networks, potentially impacting the car's operation and safety.

Vulnerability details

Researchers found the flaws in the Mazda Connect Connectivity Master Unit from Visteon, with software initially developed by Johnson Controls. They analyzed the latest version of the firmware (74.00.324A), for which there are no publicly reported vulnerabilities.

The CMU has its own community of users that modify it to improve functionality (modding). However, installing the tweaks relies on software vulnerabilities.

In a report yesterday, Trend Micro's Zero Day Initiative (ZDI) explains that the discovered problems vary from SQL injection and command injection to unsigned code:

CVE-2024-8355: SQL Injection in DeviceManager – Allows attackers to manipulate the database or execute code by inserting malicious input when connecting a spoofed Apple device.
CVE-2024-8359: Command Injection in REFLASH_DDU_FindFile – Lets attackers run arbitrary commands on the infotainment system by injecting commands into file path inputs.
CVE-2024-8360: Command Injection in REFLASH_DDU_ExtractFile – Similar to the previous flaw, it allows attackers to execute arbitrary OS commands through unsanitized file paths.
CVE-2024-8358: Command Injection in UPDATES_ExtractFile – Allows command execution by embedding commands in file paths used during the update process.
CVE-2024-8357: Missing Root of Trust in App SoC – Lacks security checks in the boot process, enabling attackers to maintain control over the infotainment system post-attack.
CVE-2024-8356: Unsigned Code in VIP MCU – Allows attackers to upload unauthorized firmware, potentially granting control over certain vehicle subsystems.

>>Full Article<<

Be the first to reply!

Vulnerability details

Reply

Related Topics

How to Use Sidecar in MacOS Ventura

How to Setup and Use Security Keys in macOS Ventura

How to Use Voice Memos in macOS Ventura (including Skipping Silences)

How to Use Stage Manager in macOS Ventura

How to Upgrade from Older MacOS to MacOS Monterey (and Avoid Ventura)

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded