Pierluigi Paganini November 09, 2024

Multiple vulnerabilities in the infotainment unit Mazda Connect could allow attackers to execute arbitrary code with root access.

Trend Micro’s Zero Day Initiative warned of multiple vulnerabilities in the Mazda Connect infotainment system that could allow attackers to execute code with root privileges. This occurs due to improper input sanitization in the Mazda Connect CMU, allowing attackers with physical access to exploit the system using a crafted USB device.

The vulnerabilities impact the Mazda Connect Connectivity Master Unit (CMU) system installed in multiple car models, including the Mazda 3 model year 2014-2021.

“Multiple vulnerabilities have been discovered in the Mazda Connect Connectivity Master Unit (CMU) system installed in multiple car models, such as the Mazda 3 model year 2014-2021. Like in so many cases, these vulnerabilities are caused by insufficient sanitization when handling attacker-supplied input.” reads the advisory. “A physically present attacker could exploit these vulnerabilities by connecting a specially crafted USB device – such as an iPod or mass storage device – to the target system. Successful exploitation of some of these vulnerabilities results in arbitrary code execution with root privileges.”

The research targeted a CMU unit manufactured by Visteon, with software initially developed by Johnson Controls Inc. (JCI). The study focused on the latest software version (74.00.324A), but experts believe that earlier versions (at least 70.x) may also be vulnerable. The CMU has an active modding community that uses software vulnerabilities to alter the unit’s operation, with various software tweaks released. As of the publication, no publicly known vulnerabilities have been identified in the latest firmware version.

Below are the vulnerabilities reported by ZDI:

• CVE-2024-8355: SQL injection in DeviceManager, enabling database manipulation or code execution via spoofed Apple device connections.
• CVE-2024-8359 and CVE-2024-8360: Command injections in REFLASH_DDU_FindFile and REFLASH_DDU_ExtractFile, allowing arbitrary OS command execution through file path inputs.
• CVE-2024-8358: Command injection in UPDATES_ExtractFile, enabling command execution via file paths during updates.
• CVE-2024-8357: Lack of root of trust in App SoC, risking persistent attacker control by bypassing boot security checks.
• CVE-2024-8356: Unsigned code vulnerability in VIP MCU, allowing unauthorized firmware uploads that could impact vehicle subsystems.

These vulnerabilities could enable attackers to gain control over or manipulate the infotainment system and potentially affect certain vehicle functions and safety.

These issues are unpatched, with some command injection flaws that could grant attackers unrestricted access to vehicle networks.

The researchers demonstrated in a lab environment that the attack, from USB insertion to installing a crafted update, takes only a few minutes. This quick compromise allows vehicles to be targeted during valet service, ride-sharing, or through USB malware. Once compromised, the CMU could be modified to target connected devices, potentially causing Denial of Service (DoS), device bricking, ransomware attacks, or even safety issues.

“The CMU can then be compromised and “enhanced” to, for example, attempt to compromise any connected device in targeted attacks that can result in DoS, bricking, ransomware, safety compromise, etc.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mazda Connect)