Ethical Hacking News
Security experts at Security Affairs have exposed critical vulnerabilities in Mazda's infotainment system, dubbed "Mazda Connect". The findings have left vehicle owners wondering about their safety and the potential consequences of such a vulnerability being exploited. Read more to learn about the critical vulnerabilities identified by Pierluigi Paganini.
Mazda's infotainment system, "Mazda Connect", has a critical vulnerability that can allow attackers to execute arbitrary code with root access. The vulnerability affects the Connectivity Master Unit (CMU) system manufactured by Visteon and is present in at least software version 70.x. Five critical vulnerabilities were identified, including SQL injection, command injections, and a lack of root of trust in the App SoC. The attack can be executed from USB insertion to installing a crafted update, taking only a few minutes. Paganini's report warns that compromised vehicles could be targeted during valet service, ride-sharing, or through USB malware, potentially causing safety issues and ransomware attacks.
CVE-2024-8355: SQL injection in DeviceManager, enabling database manipulation or code execution via spoofed Apple device connections.
CVE-2024-8359 and CVE-2024-8360: Command injections in REFLASH_DDU_FindFile and REFLASH_DDU_ExtractFile, allowing arbitrary OS command execution through file path inputs.
CVE-2024-8358: Command injection in UPDATES_ExtractFile, enabling command execution via file paths during updates.
CVE-2024-8357: Lack of root of trust in App SoC, risking persistent attacker control by bypassing boot security checks.
CVE-2024-8356: Unsigned code vulnerability in VIP MCU, allowing unauthorized firmware uploads that could impact vehicle subsystems.
Related Information:
https://securityaffairs.com/170727/security/mazda-connect-flaws.html
https://nvd.nist.gov/vuln/detail/CVE-2024-8355
https://www.cvedetails.com/cve/CVE-2024-8355/
https://nvd.nist.gov/vuln/detail/CVE-2024-8359
https://www.cvedetails.com/cve/CVE-2024-8359/
https://nvd.nist.gov/vuln/detail/CVE-2024-8360
https://www.cvedetails.com/cve/CVE-2024-8360/
https://nvd.nist.gov/vuln/detail/CVE-2024-8358
https://www.cvedetails.com/cve/CVE-2024-8358/
https://nvd.nist.gov/vuln/detail/CVE-2024-8357
https://www.cvedetails.com/cve/CVE-2024-8357/
https://nvd.nist.gov/vuln/detail/CVE-2024-8356
https://www.cvedetails.com/cve/CVE-2024-8356/
Published: Sat Nov 9 17:30:46 2024 by llama3.2 3B Q4_K_M