SB2025063019 - Multiple vulnerabilities in Volkswagen MIB3

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025063019

SB2025063019 - Multiple vulnerabilities in Volkswagen MIB3

Published: June 30, 2025

Security Bulletin ID SB2025063019
Severity
Medium
Patch available
YES
Number of vulnerabilities 12
Exploitation vector Adjecent network
Highest impact Code execution

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 12 secuirty vulnerabilities.


1) Integer underflow (CVE-ID: CVE-2023-28902)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer underflow in picture handler during EXIF data parsing. An attacker with physical access can attach a USB flash drive containing a specifically crafted JPEG image, trigger integer underflow and cause a denial of service condition on the target system.


2) Integer overflow (CVE-ID: CVE-2023-28903)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in picture handler during EXIF data parsing. An attacker with physical access can attach a USB flash drive with a specially crafted JPEG image, trigger integer overflow and cause a denial of service on the target system.


3) Buffer overflow (CVE-ID: CVE-2023-28904)

The vulnerability allows a local attacker to execute arbitrary code on the target system.

The vulnerability exists due to a logic flaw in the bootloader component. An attacker with physical access can trigger memory corruption to bypass firmware signature verification and execute arbitrary code in the infotainment system at boot process.


4) Heap-based buffer overflow (CVE-ID: CVE-2023-28905)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in picserver within the image processing binary. A remote attacker on the local network can send a specially crafted vCard, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


5) OS Command Injection (CVE-ID: CVE-2023-28906)

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in the "tsd.networking.mib3" service. A local user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


6) Improper access control (CVE-ID: CVE-2023-28907)

The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in CARCOM memory. A local administrator can bypass implemented security restrictions, execute arbitrar code and read/write to the Infotainment CAN bus of the target vehicle.


7) Integer overflow (CVE-ID: CVE-2023-28908)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in non-fragmented data within the Bluetooth stack. A remote attacker on the local network can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


8) Integer overflow (CVE-ID: CVE-2023-28909)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow within the Bluetooth stack when receiving fragmented HCI packets on a channel. A remote attacker on the local network can pass specially crafted data to the application, trigger integer overflow, bypass the MTU check and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


9) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2023-28910)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to the disabled abortion flag within the Bluetooth stack. A remote attacker on the local network can bypass assertion functions and execute arbitrary code on the system.


10) Input validation error (CVE-ID: CVE-2023-28911)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the Bluetooth stack. A remote attacker on the local network can pass specially crafted input to the application and perform a denial of service (DoS) attack.


11) Cleartext storage of sensitive information (CVE-ID: CVE-2023-28912)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the MIB3 unit stores the synchronized phone contact book in cleartext. A remote attacker on the local network can gain access to sensitive information.


12) Improper access control (CVE-ID: CVE-2023-29113)

The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in custom IPC mechanism. A local user can undermine access control restrictions implemented at the operating system level.


Remediation

Install update from vendor's website.

References