Advisory Details

August 30th, 2024

(0Day) Visteon Infotainment App SoC Missing Immutable Root of Trust in Hardware Local Privilege Escalation Vulnerability

ZDI-24-1189
ZDI-CAN-23759

CVE ID CVE-2024-8357
CVSS SCORE 7.8, AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AFFECTED VENDORS Visteon
AFFECTED PRODUCTS Infotainment
VULNERABILITY DETAILS

This vulnerability allows local attackers to escalate privileges on affected installations of Visteon Infotainment systems. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.

The specific flaw exists within the configuration of the application system-on-chip (SoC). The issue results from the lack of properly configured hardware root of trust. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the boot process.
ADDITIONAL DETAILS

04/24/24 – ZDI reported the vulnerabilities to the vendor
04/30/24 – ZDI asked for updates
07/29/24 – ZDI asked for updates
08/16/24 – ZDI notified the vendor of the intention to publish the cases as 0-day advisories on 08/30/24

-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application
DISCLOSURE TIMELINE
  • 2024-04-24 - Vulnerability reported to vendor
  • 2024-08-30 - Coordinated public release of advisory
  • 2024-08-30 - Advisory Updated
CREDIT Dmitry "InfoSecDJ" Janushkevich of Trend Micro Zero Day Initiative
BACK TO ADVISORIES