Vulnerabilities in the infotainment system of multiple Mazda car models could allow attackers to execute arbitrary code with root privileges, Trend Micro’s Zero Day Initiative (ZDI) warns.

The issues, ZDI explains, exist because the Mazda Connect Connectivity Master Unit (CMU) system does not properly sanitize user-supplied input, which could allow a physically present attacker to send commands to the system by connecting a specially crafted USB device.

The CMU, popular among the modding community, which has released software tweaks to modify its operations, was manufactured by Visteon and runs software initially developed by Johnson Controls.

According to ZDI, the flaws, which were identified in software version 74.00.324A, could be used in conjunction to “achieve a complete and persistent compromise of the infotainment system”. Earlier software iterations might also be affected. Mazda 3 model year 2014-2021 and other car models are impacted.

The first security defect, tracked as CVE-2024-8355, exists because, when a new Apple device is connected, the CMU takes several values from the device and uses them in an SQL statement without sanitization.

This allows an attacker to use a spoofed device to reply to the request with specific commands that would be executed on the infotainment system with root privileges, leading to database manipulation, arbitrary file creation, and potentially code execution.

“Exploitation of this vulnerability is somewhat limited due to an apparent length limitation of 0x36 bytes on the input, but this could potentially be worked around by having several spoofed iPods connect one after the other, each with its own injected SQL statements in place of a serial number,” ZDI says.

Three other improper input sanitization bugs, tracked as CVE-2024-8359, CVE-2024-8360, and CVE-2024-8358, impact functions supporting the update process and could allow an attacker to “inject arbitrary OS commands that will be executed by the head unit OS shell”, leading to full system compromise.

A fifth flaw, tracked as CVE-2024-8357, exists because no authentication was implemented for OS boot steps in the application SoC running Linux, allowing an attacker to manipulate the root filesystem, configuration data, and the bootstrap code for persistence, SSH key installation, and code execution.

Another vulnerability, CVE-2024-8356, impacts the second system of the head unit, namely an MCU running an unspecified OS, which supports CMU functions such as CAN and LIN connectivity, and which is identified as VIP in strings in the CMU software.

The VIP is also updated during the software update process, and ZDI discovered that it was possible to manipulate specific strings that, once accepted by the update script, would lead to validating a modified firmware image that would be programmed back to the VIP MCU.

“In a more global sense, this allows an attacker to pivot from a compromised application SoC running Linux to the VIP MCU by installing a crafted firmware version and subsequently gaining direct access to the connected CAN busses of the vehicle,” ZDI explains.

Exploitation of these flaws is possible through a USB device with a file containing the OS commands to be executed in its name.

“The filename must end with .up for it to be recognized by the software update handling code. While all three command injection vulnerabilities are exploited via the file name, the easiest one to exploit is by far [CVE-2024-8359] as there are no specific exploitation requirements such as validity of the crafted update file,” ZDI says.

Furthermore, connecting a USB mass storage device to the vehicle could automatically trigger the software update process, facilitating the exploitation of the command injection bugs.

An attacker could install backdoored system components to manipulate the root file system for persistence, could move laterally and install crafted VIP microcontroller software to gain “unfettered access to vehicle networks, potentially impacting vehicle operation and safety”.

The attack, ZDI says, can be performed within minutes in a lab environment and would likely not take significantly longer in real-world scenarios, such as when the car is “being handled by a valet, during a ride share, or via USB malware”, or in a shop environment.

“The CMU can then be compromised and ‘enhanced’ to, for example, attempt to compromise any connected device in targeted attacks that can result in DoS, bricking, ransomware, safety compromise, etc,” ZDI notes.

None of these vulnerabilities has been patched by the vendor, ZDI says. SecurityWeek has emailed Mazda for a statement on the matter and will update this article as soon as a reply arrives.

Related: Millions of Kia Cars Were Vulnerable to Remote Hacking

Related: Number of Chinese Devices in US Networks Growing Despite Bans

Related: EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft

Related: Mercedes-Benz USA Says Vendor Exposed Customer Information