CVE-2023-34399: Mercedes-Benz NTG6 Head-Unit Integer Overflow in Boost Library Causing Vulnerability in Profile Settings Import/Export

A recent version of Mercedes-Benz's head-unit NTG6 has been found to have a critical vulnerability relating to the boost library that it uses. The vulnerable component is essentially a deprecated version of the boost library, which is known to be susceptible to integer overflow attacks. In this blog post, we will detail the vulnerability (CVE-2023-34399), show code snippets of the problem, link to original references, and discuss the potential exploits that can be performed due to this issue.

The Vulnerability

At the heart of the problem is the fact that the Mercedes-Benz head-unit NTG6 allows users to import and export their profile settings over USB. During this process, certain values are serialized into a table using the boost library. Unfortunately, the version of the boost library being used is already known to have an integer overflow vulnerability.

An integer overflow occurs when an integer value is incremented beyond its maximum storage capacity, causing the value to wrap around and become a small or negative number. This can result in unexpected behavior and expose a system to potential attacks.

The Code Snippet

Here is an example of a code snippet that uses the vulnerable boost version for serializing profile settings:

#include <boost/archive/text_oarchive.hpp>
#include <boost/archive/text_iarchive.hpp>

void save_profile_settings(const ProfileSettings& settings, const std::string& filename) {
    std::ofstream ofs(filename);
    boost::archive::text_oarchive oa(ofs);
    oa << settings;
}

void load_profile_settings(ProfileSettings& settings, const std:<a-MSILERgS-scancode>:</a-MSILERgS-scancode>@string& filename) {
    std::ifstream ifs(filename);
    boost::archive::text_iarchive ia(ifs);
    ia >> settings;
}

As can be seen in the code snippet above, profile settings are exported and imported using the boost::archive::text_oarchive and boost::archive::text_iarchive classes. These classes use a deprecated version of the boost library, which contains the integer overflow vulnerability.

Original References

The integer overflow vulnerability in the boost library has been previously documented, and can be found in the following links:

- Boost Library Security Advisory: Boost Security Advisory
- National Vulnerability Database: NVD - CVE-202-34399

An attacker potentially exploiting this integer overflow vulnerability may be able to

1. Corrupt the memory of the head-unit, which could lead to instability, unintended behavior, or even a crash.
2. Perform a Denial-of-Service (DoS) attack by overwriting critical data in memory, rendering the head-unit inoperative.
3. Gain unauthorized access or control of the head-unit by injecting malicious code and exploiting the overflow to execute it.

In order to mitigate these risks, Mercedes-Benz should ideally release a software update that addresses the vulnerability by using a more recent and secure version of the boost library. Additionally, users should be vigilant when importing or exporting profile settings over USB, as this is the primary vector for this vulnerability to be exploited.

Timeline

Published on: 02/13/2025 22:15:10 UTC
Last modified on: 03/24/2025 17:15:15 UTC