Security Mitigations for the Multiple Zero-Day Vulnerabilities Discovered in an IVI System

Researchers from Trend Micro’s Zero Day Initiative (ZDI) have discovered several zero-day vulnerabilities in a Mazda in-vehicle (IVI) infotainment system, specifically the Mazda Connect connectivity master unit (CMU) manufactured by Visteon with the latest software version 74.00.324A initially developed by Johnson Controls Inc. 

Here’s an overview of the identified vulnerabilities:

• CVE-2024-8355: An SQL injection vulnerability caused by inadequate input validation, potentially allowing attackers to execute arbitrary SQL queries.
• CVE-2024-8359, CVE-2024-8360, and CVE-2024-8358: Command injection vulnerabilities resulting from insufficient sanitization of user-supplied paths and filenames, enabling unauthorized operating system (OS) command execution.
• CVE-2024-8357: Missing boot trust chain, where the application system on a chip (SoC) fails to verify the integrity of the boot process, leaving the system vulnerable to tampering.
• CVE-2024-8356: Lack of update package verification, as the verification IP microcontroller unit (VIP MCU) firmware does not enforce code signing on updates, allowing for the installation of unsigned firmware.

All six vulnerabilities remain unpatched and most can be exploited through a USB connection, providing attackers with root-level access to the device. This scenario poses a significant risk, as anyone with physical access to the vehicle’s IVI system could potentially exploit these vulnerabilities. 

For details on how these vulnerabilities were uncovered, read the relevant blog entry by the ZDI. 

SQL injection vulnerability in DeviceManager iAP  

CVE-2024-8355, the first vulnerability discovered in the ZDI’s research, results from insufficient sanitization of data when handling the serial number of an Apple device. When an Apple device is connected to the IVI system, its serial number is retrieved via the interface accessory protocol (iAP) and used directly in SQL queries without proper sanitization, creating an injection point. An attacker can exploit this vulnerability by spoofing an Apple device and injecting arbitrary SQL commands through the iAP serial number, enabling database manipulation or code execution with root privileges. 

Mitigations: 

• Use parameterized queries instead of directly concatenating user input. 
• Implement proper input validation to prevent the execution of malicious input. 

Command injection vulnerabilities 

The command injection vulnerabilities — CVE-2024-8359 , CVE-2024-8360, and CVE-2024-8358 — stem from improper handling of user-supplied input in multiple functions within the software update process: 

• CVE-2024-8359 (ZDI-24-1191): REFLASH_DDU_FindFile Command Injection 
• CVE-2024-8360 (ZDI-24-1192): REFLASH_DDU_ExtractFile Command Injection 
• CVE-2024-8358 (ZDI-24-1190): UPDATES_ExtractFile Command Injection 

All three share a common root cause: The affected functions pass inputs such as file paths and filenames directly to command-line tools without adequate sanitization. This approach, which includes using system calls such as system() or snprintf() without validating the input, allows attackers to inject arbitrary OS commands, resulting in full system compromise. 

Mitigations: 

• Avoid using system calls with unsanitized input. Instead, rely on secure API functions to ensure safe command execution.
• Enforce strict input validation to ensure that user-supplied paths and filenames adhere to expected formats, blocking special characters or shell commands. 
• Conduct comprehensive security reviews of all code paths related to software updates, especially those involving file operations. 

Missing boot trust chain 

CVE-2024-8357 points to the application SoC’s failure to verify the integrity of the bootstrap code during the boot process. This oversight allows attackers with code execution privileges to manipulate the boot process, gain persistent control, and tamper with system configurations. 

Mitigations: 

• Implement a secure boot mechanism that uses cryptographic verification to validate the bootstrap code and all subsequent stages of the boot process. 
• Utilize a hardware-based root of trust to prevent unauthorized code execution throughout the boot sequence. 

Lack of update package verification 

CVE-2024-8356 refers to the VIP MCU’s failure to enforce code signing for firmware updates. This allows attackers to upload modified firmware, potentially compromising vehicle safety by granting unauthorized control over the CAN bus network. 

Mitigations: 

• Enforce mandatory code signing for all firmware updates on the VIP MCU.
• Integrate cryptographic signature verification into the update process to ensure that only authenticated updates are applied. 

Security best practices 

The ZDI reported these vulnerabilities to Visteon, notifying the vendor of their planned publication as zero-day vulnerabilities in line with the ZDI’s disclosure policy, which allows for disclosure if no response is received within a specified time frame. 

The recommended best practices below are not solely intended to address vulnerabilities but should be integrated into the software development processes of both Tier 1 suppliers and automotive manufacturers (OEMs) to strengthen their cybersecurity stance: 

• Implement secure coding practices. Use input sanitization and parameterized queries to prevent injection attacks, and avoid directly invoking system calls with user-supplied input. 
• Strengthen the software update process. Enforce cryptographic verification for all update packages and require code signing for firmware components to prevent unauthorized modifications. 
• Enhance boot security. Introduce a secure boot process with a root of trust to verify the integrity of all boot stages, ensuring that only authenticated code is loaded. 
• Conduct regular security audits. Perform comprehensive security assessments of both hardware and software components, including code reviews and penetration testing, to identify and mitigate vulnerabilities. 
• Gather intelligence from modding communities. Monitor car modding forums and communities to detect common vulnerabilities and potential exploits. Proactively gathering intelligence can help address emerging threats and improve mitigation strategies. 
• Establish a bug bounty program. Launch a formal bug bounty program to encourage independent security researchers to report vulnerabilities. This proactive approach can help identify and resolve security issues before they can be exploited in the wild. 

Conclusion 

These vulnerabilities demonstrate that even well-established automotive products can contain critical flaws resulting from programming errors and fundamental design oversights. Prioritizing secure development practices, implementing robust input validation, and enforcing comprehensive update verification are essential to maintaining the integrity and security of IVI systems. These issues underscore the need for holistic automotive cybersecurity that addresses both software and hardware components to build a more resilient and secure automotive ecosystem.