Visteon Infotainment VIP MCU Firmware Authenticity Validation Flaw Leads to Local Privilege Escalation (CVE-2024-8356)

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Name: - (0Day) Visteon Infotainment VIP MCU Code Insufficient Validation of Data Authenticity Local Privilege Escalation Vulnerability 2. Vulnerability ID: - ZDI-24-1188 - ZDI-CAN-23758 3. CVE ID: - CVE-2024-8356 4. CVSS Score: - 8.8, AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 5. Affected Vendor: - Visteon 6. Affected Product: - Infotainment 7. Vulnerability Details: - This vulnerability allows a local attacker to escalate privileges on affected Visteon Infotainment systems. The attacker must first gain the ability to execute low-privilege code on the target system in order to exploit this vulnerability. - The specific flaw exists in the firmware update process of the VIP microcontroller. This process does not properly validate the authenticity of the provided firmware image before programming it into internal memory. An attacker can exploit this vulnerability to execute arbitrary code in the context of the VIP MCU. 8. Additional Details: - April 24, 2024 – ZDI reported the vulnerability to the vendor. - April 30, 2024 – ZDI requested an update. - July 29, 2024 – ZDI requested an update again. - August 16, 2024 – ZDI notified the vendor that a 0-day advisory would be published on August 30, 2024. 9. Disclosure Timeline: - April 24, 2024 – Vulnerability reported to vendor. - August 30, 2024 – Coordinated public disclosure of vulnerability advisory. - August 30, 2024 – Vulnerability advisory updated. 10. Credit: - Dmitry "InfoSecDJ" Janushkevich of Trend Micro Zero Day Initiative 11. Return to Advisory: - Return to Advisory This information provides a detailed description of the vulnerability, including its nature, scope of impact, discovery, and disclosure process.

Goal Reached Thanks to every supporter — we hit 100%!

Visteon Infotainment VIP MCU Firmware Authenticity Validation Flaw Leads to Local Privilege Escalation (CVE-2024-8356)