What security vulnerabilities were discovered in Mazda's CMU?

Multiple critical vulnerabilities were found in Mazda's Connectivity Master Unit (CMU), allowing attackers with physical access to execute arbitrary code with root privileges. These include SQL Injection (CVE-2024-8355), multiple OS Command Injection vulnerabilities (CVE-2024-8359, CVE-2024-8360, CVE-2024-8358), and system security vulnerabilities (CVE-2024-8357, CVE-2024-8356).

What mitigation measures are available?

Currently, no official patches are available. The only current mitigation measure is to restrict physical access to the vehicle's USB ports.

Advisory

Multiple Critical Vulnerabilities in Mazda Connect Infotainment System

Q: Which Mazda models are affected by these vulnerabilities?

The vulnerabilities affect Mazda Connect infotainment systems (CMU) installed in multiple Mazda models, including Mazda 3 (2014-2021), running software version 74.00.324A and potentially earlier versions down to 70.x. These systems were initially developed by Johnson Controls Inc (JCI) and manufactured by Visteon Corporation.

Q: How can these vulnerabilities be exploited?

The attack vector requires physical access to the vehicle. Vehicles can be exploited via USB device with specially crafted files, and the attack can be completed within minutes. Potential access points include valet parking, service centers, and dealerships.

published: Nov. 8, 2024

Take action: If you are driving a Mazda, don't let strangers access the car or give someone keys - until you are able to patch the flaws. Contact the dealerships or Mazda for status on the flaws.

Learn More

A series of critical security vulnerabilities have been discovered in Mazda's Connectivity Master Unit (CMU), affecting multiple vehicle models. The vulnerabilities, allow attackers with physical access to execute arbitrary code with root privileges and potentially gain control over vehicle systems.

The vulnerabilities are tracked as follows (CVSS score not disclosed):

SQL Injection (CVE-2024-8355):
- Allows database manipulation through spoofed Apple device iAP serial numbers
- Enables arbitrary file creation and potential code execution
OS Command Injection Vulnerabilities that allow arbitrary OS command execution due to insufficient input sanitization:
- CVE-2024-8359: Affects REFLASH_DDU_FindFile function
- CVE-2024-8360: Affects REFLASH_DDU_ExtractFile function
- CVE-2024-8358: Affects UPDATES_ExtractFile function
System Security Vulnerabilities:
- CVE-2024-8357: Missing authentication of bootstrap code
- CVE-2024-8356: Allows unsigned code updates to VIP MCU

Affected Systems are Mazda Connect infotainment systems (CMU) initially developed by Johnson Controls Inc (JCI), manufactured by Visteon Corporation and installed in multiple Mazda models, including Mazda 3 (2014-2021), running software version 74.00.324A and potentially earlier versions down to 70.x

Attack Vector requires physical access to the vehicle. Vehicles are exploitable via USB device with specially crafted files, and the attack can be completed within minutes.

Potential access points include valet parking, service centers, and dealerships

So far, no official patches are available. The only current mitigation is to restrict physical access to the vehicle's USB ports.

Multiple Critical Vulnerabilities in Mazda Connect Infotainment System