According to security researchers, attackers could exploit several vulnerabilities in the Mazda Connect infotainment unit, present in multiple car models, including Mazda 3 (2014-2021), to execute arbitrary code with root permission. The researchers noted that the security issues remain unpatched, and some of them are command injection flaws that could be leveraged to obtain unrestricted access to vehicle networks, potentially impacting the car's operation and safety. The researchers analyzed the latest firmware version (74.00.324A) on the Mazda Connect infotainment unit. The vulnerabilities discovered include CVE-2024-8355 (SQL injection in DeviceManager), CVE-2024-8359 (command injection in REFLASH_DDU_FindFile), CVE-2024-8360 (command injection in REFLASH_DDU_ExtractFile), CVE-2024-8358 (command injection in UPDATES_ExtractFile), CVE-2024-8357 (missing root of trust in app SoC), and CVE-2024-8356 (unsigned code in VIP MCU). The researchers said that exploiting the six vulnerabilities above requires physical access to the infotainment system, but despite this limitation, the researchers noted that unauthorized physical access is easily obtainable, especially in valet parking and during service at workshops or dealerships. Dmitry Janushkevich, senior vulnerability researcher at ZDI, said a threat actor could connect with a USB device and deploy an attack automatically within minutes. According to the researchers, compromising a car's infotainment system using the disclosed vulnerabilities could allow database manipulation, information disclosure, creating arbitrary files, injecting arbitrary OS commands that could lead to full compromise of the system, gaining persistence, and executing arbitrary code before the operation system boots.
BleepingComputer reports: "Unpatched Mazda Connect Bugs Let Hackers Install Persistent Malware"