CVE-2023-34398 - Mercedes-Benz Head-Unit NTG6 Profile Import Export Vulnerability Involving Boost Library

A new vulnerability (CVE-2023-34398) has been discovered in Mercedes-Benz head-unit NTG6 that involves importing or exporting profile settings over USB. This vulnerability is linked to the boost library and could be exploited by attackers to perform null pointer dereference, a common source of crashes and security loopholes. In this post, we will discuss the details of this vulnerability, including the affected systems, vulnerability overview, exploit details, and how to mitigate the risks associated with this vulnerability.

Vulnerability Overview

The Mercedes-Benz head-unit NTG6 contains functions to facilitate the import and export of profile settings via the USB interface. Critical data including phonebook contacts, navigation settings, and media preferences can be imported and exported in this process. When the user imports or exports the profile settings, some values in the settings table undergo serialization, particularly using the boost library.

The boost library is a prominent feature within the C++ programming sphere, providing essential components necessary for a wide range of applications. However, the library is susceptible to a vulnerability that may cause null pointer dereference to occur. This vulnerability stems from the improper handling of uninitialized, invalidated or unused pointers during the serialization process. Consequently, attackers can exploit this vulnerability to wreak havoc through various means, such as causing crashes, data corruption, and other malicious activities.

Exploit Details

Below is a code snippet showcasing the vulnerability within the boost library, where improper handling of pointer occurs:

#include <boost/archive/text_iarchive.hpp>
#include <boost/archive/text_oarchive.hpp>
#include <boost/serialization/shared_ptr.hpp>
#include <boost/serialization/unique_ptr.hpp>
#include <sstream>

class vulnerable_class {
public:
    std::shared_ptr<int> shared_ptr_object;
    std::unique_ptr<int> unique_ptr_object;

    template<typename Archive>
    void serialize(Archive& ar, const unsigned int version) {
        ar & shared_ptr_object;
        ar & unique_ptr_object;
    }
};

The vulnerable function 'serialize' does not perform proper validation and sanitization operations on the pointers, effectively enabling null pointer dereference to occur.

Original References

- Boost Serialization Library Documentation
- CVE-2023-34398 Vulnerability Details

To mitigate this vulnerability, the following measures should be taken

1. Ensure that the Mercedes-Benz head-unit NTG6 firmware is updated with the latest security patches, as provided by the manufacturer. Regular updates significantly reduce the chances of vulnerabilities.
2. When importing or exporting profile settings, be cautious of the USB devices used, and avoid using untrusted devices. Importing or exporting profile settings should be limited to only trusted sources.
3. Daimler or Mercedes-Benz should ensure a thorough code review is conducted on their critical software libraries, such as boost, to identify such vulnerabilities. Developers should apply proper validation checks and sanitize operations on pointers within the serialization functions, mitigating the risk of null pointer dereference.

Conclusion

The CVE-2023-34398 vulnerability is a significant concern for Mercedes-Benz head-unit NTG6 users. This vulnerability exposes the system to potential null pointer dereference attacks and compromises the security and stability of the head-unit. Ensuring the latest firmware updates are installed, avoiding untrusted USB devices, and implementing rigorous code reviews during the development stage can help mitigate this vulnerability effectively.

Timeline

Published on: 02/13/2025 22:15:10 UTC
Last modified on: 03/18/2025 18:15:26 UTC