Multiple vulnerabilities in Visteon Infotainment
| Risk | Low |
| Patch available | NO |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2024-8360 CVE-2024-8356 CVE-2024-8357 CVE-2024-8358 CVE-2024-8359 CVE-2024-8355 |
| CWE-ID | CWE-78 CWE-345 CWE-1326 CWE-89 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Infotainment Client/Desktop applications / Other client software |
| Vendor | Visteon |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
Updated 16.09.2024
Added vulnerability #6
1) OS Command Injection
EUVDB-ID: #VU96654
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-8360
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the REFLASH_DDU_ExtractFile function. An attacker with physical access can use specially crafted software update file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsInfotainment: All versions
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-24-1192/
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Insufficient verification of data authenticity
EUVDB-ID: #VU96661
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-8356
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient verification of data authenticity within the firmware update process of the VIP microcontroller. A local user can escalate privileges to execute arbitrary code in the context of the VIP MCU.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsInfotainment: All versions
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-24-1188/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Missing Immutable Root of Trust in Hardware
EUVDB-ID: #VU96660
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-8357
CWE-ID:
CWE-1326 - Missing Immutable Root of Trust in Hardware
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to lack of properly configured hardware root of trust within the configuration of the application system-on-chip (SoC), which leads to security restrictions bypass and privilege escalation.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsInfotainment: All versions
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-24-1189/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) OS Command Injection
EUVDB-ID: #VU96659
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-8358
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the UPDATES_ExtractFile function. An attacker with physical access can use specially crafted software update file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsInfotainment: All versions
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-24-1190/
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) OS Command Injection
EUVDB-ID: #VU96655
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-8359
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the REFLASH_DDU_FindFile function. An attacker with physical access can use specially crafted software update file and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsInfotainment: All versions
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-24-1191/
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) SQL injection
EUVDB-ID: #VU97307
Risk: Low
CVSSv4.0: 4 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-8355
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data within the DeviceManager. An attacker with physical access can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsInfotainment: All versions
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-24-1208/
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
